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AMERICA IS UNDER CYBER ATTACK: WHY 
URGENT ACTION IS NEEDED 


Tuesday, April 24, 2012 

U.S. House of Representatives, 

Subcommittee on Oversight, Investigations, and 

Management, 

Committee on Homeland Security, 

Washington, DC. 

The subcommittee met, pursuant to call, at 2:05 p.m., in Room 
311, Cannon House Office Building, Hon. Michael T. McCaul 
[Chairman of the subcommittee] presiding. 

Present: Representatives McCaul, Long, Duncan, Keating, 
Clarke, Davis, and Thompson (ex officio). 

Mr. McCaul. The committee will come to order. The purpose of 
our hearing is to examine the evolving computer hacking threats 
from nation-states and hacker groups to Government, financial in- 
stitutions, American businesses, and personal computer networks. 

I now recognize myself for an opening statement. America’s com- 
puters are under attack and every American is at risk. The United 
States Government, critical infrastructures, American business in- 
stitutions, and our personal data are being compromised by nation- 
states and hacker groups. Their intent is to conduct cyber warfare, 
paralyzing our infrastructure, stealing our intellectual property, 
conducting espionage, and gaining access to our credit card, bank 
account, and Social Security numbers. 

Richard Clarke, Former Special Advisor on Cybersecurity to 
President Bush, said within the first 48 hours of a cyber attack on 
the United States we could experience the Department of Defense’s 
classified and unclassified networks collapsing as a result of large- 
scale routers failing to function, reports of large oil refinery fires 
as well as lethal clouds of chlorine gas emitting from chemical 
plants, our financial system dissolving as a result of important fi- 
nancial data being lost with no idea of who owns what, pipelines 
carrying natural gas exploding, trains and subways derailed, a Na- 
tion-wide blackout leaving American cities in the dark. 

Unfortunately, this is not a science fiction scenario. There are no 
shells exploding or foreign militaries on our shores. But make no 
mistake: America is under attack by digital bombs. There are sev- 
eral things the American public should understand about these at- 
tacks. They are real, stealthy, and persistent, and could devastate 
our Nation. They occur at the speed of light. They are global and 
can come from anywhere on the Earth. They penetrate traditional 
defenses. 


( 1 ) 
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So who is conducting these attacks and why? An October 2011 
report to Congress on foreign economic collection and industrial es- 
pionage states, it is part of China and Russia’s national policy to 
try to identify and steal sensitive technology which they need for 
their development. China and Russia view themselves as strategic 
competitors of the United States and are the most aggressive col- 
lectors of U.S. economic information and technology. China’s cyber 
warfare capabilities and the espionage campaigns they have under- 
taken are the most prevalent of any nation-state actor. China has 
created citizen hacker groups, engaged in cyber espionage, estab- 
lished cyber war military units and laced the infrastructure with 
logic bombs. 

Russia has advanced capabilities and the intent and techno- 
logical prowess necessary to carry out a cyber attack anywhere in 
the world at any time. Russia has been accused of unleashing a 
cyber war against Estonia in 2011 and shutting down government 
websites. Russia has also taken down Georgia’s banking and gov- 
ernment sites as part of a policy to demonstrate its power during 
a conflict. 

There are, of course, many other countries developing cyber capa- 
bilities and using cyber espionage to steal U.S. trade and tech- 
nology secrets to bolster their own economic development, and all 
of them pose a threat. Besides nation-states, there are groups such 
as Anonymous, Moltsec, and AntiSec who indulge in non-state 
hacktivism or hacking and activism. They are largely a sym- 
pathizer for freedom of information and their agenda is basically to 
protest what they perceive as violations of privacy. These attacks 
are sometimes aimed at individuals but many times used against 
businesses. 

Based on recent arrests here in the United Kingdom — here and 
in the United Kingdom — it appears that the groups consist pre- 
dominantly of juveniles who want notoriety. Non-state hacktivist 
groups have indulged in denial of service attacks against the likes 
of Sony, MasterCard, and Stratfor located in my hometown of Aus- 
tin, Texas. They deface websites, slow down on-line access to the 
internet and steal sensitive information such as password files, 
credit card information, and Social Security numbers. These 
groups, both nation-states and non-state hacktivists, present a 
threat not only to the security of our Nation but also to our per- 
sonal and business files. 

We require a robust National effort to counter these attacks 
against our National interest. The potential of cyber attacks is 
frightening. The Stuxnet worm is groundbreaking malware 
launched against the uranium nuclear program. It was used to 
blow up centrifuges. It is so devious in its use of computer 
vulnerabilities, with such a multi-pronged approach, that the Ira- 
nians had no idea they were being attacked. Such a successful at- 
tack against the United States, with viruses designed to manipu- 
late and bring down our industrial control systems, could cause 
devastating human and economic losses. 

Indeed, General Alexander, Director of the National Security 
Agency, told me that it is not a matter of “if’ but “when” a cyber 
Pearl Harbor will occur. We have been fortunate that up until this 
point, cyber attacks in our country have not caused a cataclysmic 
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event that has brought physical harm to Americans, but that is not 
for lack of an effort on the part of those who mean to destroy our 
way of life. 

Last week Former Secretary of Homeland Security Michael 
Chertoff said it doesn’t take a lot to understand how an attack on 
critical infrastructure during a time of tension could seriously un- 
dermine the ability of a country to defend itself. The Secretary re- 
called: “I had the experience of living through an event that oc- 
curred after there was a fair amount of warning, and four planes 
were hijacked and we lost about 3,000 people. My message to any- 
body who is interested in this, particularly in the Congress, is let’s 
do something meaningful because it is not a tolerable situation.” 

I share the Secretary’s concerns. It is time to do something 
meaningful. 

[The statement of Mr. McCaul follows:] 

Statement of Chairman Michael T. McCaul 
April 24, 2012 

America’s computers are under attack and every American is at risk. The U.S. 
Government, critical infrastructures, American business institutions, and our per- 
sonal data are being compromised by nation-states and hacker groups. 

The intent is to conduct cyber warfare, paralyzing our infrastructure, stealing our 
intellectual property, conducting espionage, and gaining access to our credit card, 
bank account, and Social Security numbers. 

Richard Clarke, former special adviser on cybersecurity to President George W. 
Bush, said within the first 48 hours of a cyber attack on the United States we could 
experience: 

• The Department of Defense’s classified and unclassified networks collapsing as 
a result of large-scale routers failing to function. 

• Reports of large oil refinery fires, as well as lethal clouds of chlorine gas emit- 
ting from chemical plants. 

• Our financial system dissolving as a result of important financial data being 
lost with no idea of who owns what. 

• Pipelines carrying natural gas exploding. 

• Trains and subway derailing. 

• A Nation-wide blackout leaving American cities in the dark. 

Unfortunately, this is not a science fiction scenario. 

There are no shells exploding or foreign militaries on our shores. But make no 
mistake: America is under attack by digital bombs. 

There are several things the American public should understand about these at- 
tacks: 

• They are real, stealthy, and persistent, and could devastate our Nation. 

• They occur at the speed of light. 

• They are global and could come from anywhere on earth. 

• They penetrate traditional defenses. 

Who is conducting these attacks and why? 

An October 2011 Report to Congress on Foreign Economic Collection and Indus- 
trial Espionage states, it is part of China and Russia’s national policy to try to iden- 
tify and steal sensitive technology, which they need for their development. China 
and Russia view themselves as strategic competitors of the United States and are 
the most aggressive collectors of U.S. economic information and technology. 

China’s cyber warfare capabilities and the espionage campaigns they have under- 
taken are the most prevalent of any nation-state actor. China has created citizen 
hacker groups, engaged in cyber espionage, established cyber war military units, 
and laced the U.S. infrastructure with logic bombs. 

Russia has advanced capabilities and the intent and technological prowess nec- 
essary to carry out a cyber attack anywhere in the world, at any time. 

Russia has been accused of unleashing a cyber war against Estonia in 2007 and 
shutting down government websites. 

Russia has also taken down Georgia’s banking and government sites as part of 
a policy to demonstrate its power during a conflict. 
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There are of course many other countries developing cyber capabilities and using 
cyber espionage to steal U.S. trade and technology secrets to bolster their own eco- 
nomic development; and all of them pose a threat. Besides nation-states, there are 
groups such as Anonymous, LulzSec and AntiSec who indulge in non-state 
“hacktivism” or hacking and activism. 

They are largely a sympathizer for “freedom of information,” and their agenda is 
basically to protest what they perceive as violations of privacy. 

These attacks are sometimes aimed at individuals but many times used against 
businesses. 

Based on the recent arrests here and in the United Kingdom, it appears the 
groups consist predominantly of juveniles who want notoriety. 

Non-state hacktivist groups have indulged in denial of service attacks against the 
likes of Sony, Mastercard, and Stratfor, located in my hometown of Austin, Texas, 
defacing websites, slowing down on-line accesses on the internet and stealing sen- 
sitive information such as password files, credit card, and Social Security numbers. 

These groups, both nation-states and non-state hacktivists, present a threat not 
only to the security of our Nation, but also to our personal and business files. We 
require a robust National effort to counter these attacks against our National inter- 
ests. 

The potential of cyber attacks is frightening. The Stuxnet worm is groundbreaking 
malware launched against the Iranian nuclear program. It is so devious in its use 
of computer vulnerabilities with such a multipronged approach that the Iranians 
had no idea they were attacked. 

Such a successful attack against the United States with viruses designed to ma- 
nipulate and bring down our industrial control systems they could cause devastating 
human and economic losses. 

General Alexander, director of the National Security Agency, told me that it is 
not a matter of if, but when a cyber Pearl Harbor will occur. 

We have been fortunate that up until this point cyber attacks in our country have 
not caused a cataclysmic event that has brought physical harm to Americans. But 
that is not for lack of effort on the part of those wbo mean to destroy our way of 
life. 

Last week, former Secretary of Homeland Security Michael Chertoff said “It 
doesn’t take a lot to understand how an attack on critical infrastructure during a 
time of tension could seriously undermine the ability of a country to defend itself.” 

The Secretary recalled, “I had the experience of living through an event that oc- 
curred after there was a fair amount of warning and four planes were hijacked and 
we lost about 3,000 people. My message to anybody who’s interested in this, particu- 
larly in Congress, is let’s do something meaningful because it is not a tolerable situ- 
ation.” 

I share the Secretary’s concerns. It is time to do something meaningful. 

Mr. McCaul. With that, I recognize the Ranking Member of the 
subcommittee, Mr. Keating, for his opening statement. 

Mr. Keating. Thank you, Mr. Chairman. Mr. Chairman, thank 
you for convening today’s hearing. I would also like to acknowledge 
Chairman McCaul’s long-standing interest in cybersecurity efforts. 
I want to also acknowledge the presence of Ms. Clarke, who is the 
Ranking Subcommittee Chair on Cybersecurity, as well as Ranking 
Member Thompson, whose interest in this issue has been long- 
standing, and he is the Ranking Member of the overall committee. 

In 2007 Chairman McCaul, along with Congressman Jim Lan- 
gevin, were named co-chairs of the Center for Strategic and Inter- 
national Studies Commission on Cybersecurity for the 44th Presi- 
dency. Since that time he, among others, have been leaders on this 
issue, and last month he and I co-hosted a House-wide cybersecu- 
rity briefing that included an in-depth discussion on how cyber at- 
tacks threaten our critical infrastructure, cell phones, and com- 
puters. 

I am pleased to see that two of the participating organizations 
in that briefing — CSIS, the Center for Strategic and International 
Studies, and Northeastern University — are testifying today. I look 
forward to continuing to work with Chairman McCaul on cyberse- 
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curity issues and performing oversight of the Department’s role as 
a leading cyhersecurity agency. 

Cyhersecurity, as acknowledged by President Obama, is one of 
the most serious economic and National security threats our Nation 
faces. The impacts of a cyber attack against critical infrastructure 
or our widely-used Federal system are spurring efforts in Wash- 
ington to compel energy companies, along with other operators of 
vital infrastructures, to do more to protect their computer network 
from hackers. Public reports reveal Federal networks have been 
under attack for years, and some accounts point to upwards to 3 
billion cyber attacks a year in the United States. The price of the 
security is not cheap. Government agencies would need to boost cy- 
bersecurity spending more than seven times to block 95 percent of 
hacker attacks, according to a Bloomberg Government study. 

That translates into an annual spending average of $190.3 mil- 
lion per agency, up from the current $26 million, according to the 
study based on interviews with officials of 48 Federal, State, and 
municipal agencies. 

Moreover, one recent study estimated that 71 percent of all com- 
panies experienced a cyber attack last year. The current combined 
financial impact on public and private sector cyber attacks is un- 
known, but estimates are in the billions. Yet as we add up the dol- 
lars and weigh the risks, we must not forget the greatest attack 
will be on the confidence of the American people if even one large- 
scale cyber attack scenario were to materialize. 

It is therefore imperative that we get a full understanding of the 
root causes of cyber attacks, learn from where the threat is derived, 
and ensure that every available means of protection is deployed at 
our disposal. 

Mr. Chairman, last week during our full committee’s markup of 
the Precise Act, I proposed an amendment that would have incor- 
porated the model of the three-legged stool of Government working 
in partnership with academia and industry and to legislation de- 
signed to anticipate cyber threats and develop means to combat 
them. 

I plan to work further in this initiative because even in times of 
greatly-needed cost-saving measures, we should be wary of trading 
in long-term gains for short-term cuts. For this reason, our Govern- 
ment should do more to accelerate the pace of research discovery 
and development in home-grown technologies. I believe that this 
path forward will enable us to see a return on our investments and 
remain competitive in the global economy as well. 

I know that my colleague. Chairman McCaul, is a proponent of 
engaging research institutions in these matters, and I congratulate 
him and his work on the Cyhersecurity Enhancement Act of 2011. 
Unfortunately, this week the House will consider legislation that 
contains broad and ambiguous language, serious privacy implica- 
tions, and that moves away from Homeland Security being the cen- 
tral agency for cyhersecurity efforts. 

The Department through its United States Computer Emergency 
Readiness Team, or US-CERT, has made great strides, and I am 
concerned that the legislation compromising its authority will set 
us back in our fight against cyber attacks. The President, the CSIS 
Commission on Cyhersecurity for the 44th Presidency, and the 
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House Republican Cybersecurity Task Force have all made numer- 
ous recommendations on how to improve cyhersecurity. I would en- 
courage my colleagues to bring legislation to the floor that fully 
protects the Constitutional rights and contains recommendations 
made by these entities. 

I look forward to today’s testimony and am especially glad to 
hear from Dr. Stephen Flynn of Northeastern University as he dis- 
cusses the nature of the cybersecurity threat and his standpoint on 
making universities full-fledged cyhersecurity partners. I yield 
back. 

Mr. McCaul. I thank the Ranking Member, and thank you for 
your special recognition of our efforts and my efforts as well. 

With that, I recognize the Ranking Member of the full com- 
mittee, Mr. Thompson. 

Mr. Thompson. Thank you very much. Chairman McCaul, for to- 
day’s hearing. The threat to our Nation’s cyber systems and net- 
works is real and present. Billions of Americans use the internet 
every day to communicate, pay bills, obtain information, and per- 
form job-related functions. Moreover, the Federal Government re- 
lies on the internet and a network of Federal systems to support 
infrastructure, maintain defense systems, protect power plants and 
water supplies, perform administrative functions of Federal agen- 
cies, and a host of other activities. 

It is therefore imperative that we take seriously the United 
States’ role in securing cyher space from unwanted intrusions and 
dangerous attacks. A large portion of Federal responsibility lies 
with the U.S. Congress. It is our role to ensure that necessary leg- 
islation is passed and provide America with the protection it needs. 
Per the title of today’s hearing, urgent action is needed, and I 
agree. 

However I have consistently noted that what is needed is legisla- 
tion that will accomplish three things: No. 1, address the growing 
cyber threat to critical infrastructure networks; No. 2, promote and 
enhance information sharing between and among private sector 
and the Federal Government while protecting the privacy and civil 
liherties of Americans using the internet; and No. 3, solidify and 
enhance the Department of Homeland Security’s role as a Federal 
Government lead for Federal network security and private sector 
cyber support. 

Unfortunately, none of the bills being voted on by the House this 
week accomplish these goals. As a result, at the end of Cyhersecu- 
rity Week, America will remain without a comprehensive National 
strategy that bears cybersecurity efforts in one domestic agency 
and protects the privacy rights of American citizens. 

While the initial measure introduced by Representative Lungren, 
the chairman of the Committee’s Subcommittee on Cybersecurity, 
Infrastructure Protection, and Security Technologies was not per- 
fect, it took a number of steps in the right direction and would 
have measurably strengthened our Nation’s cyhersecurity posture. 
Yet the key initiatives that I believe were necessary were removed 
at the last minute. Despite these changes, the Republican leader- 
ship has elected not to bring that measure to the House floor. 

So while I look forward to today’s testimony and thank the wit- 
nesses for their participation, I am disheartened by the missed op- 
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portunity to produce the urgent action that is indeed needed. I 
yield back, Mr. Chairman. 

Mr. McCaul. I thank the Ranking Member. I share your con- 
cerns. I do want to say that there are four bills that will be on the 
House floor this week, all of which passed out of committee in a 
bipartisan fashion. I believe it is the leadership’s intent to proceed 
with those bills that will go forward in a bipartisan way, as this 
is an issue that should be a bipartisan issue and not a partisan 
issue. Unfortunately, the bill passed out of Homeland Security was 
not a bipartisan vote. 

When I talked to Secretary of Homeland Security Napoli tano and 
General Alexander, the NSA director, the two key components they 
wanted to see was a codification of the existing legal authorities 
based on Presidential Directives and Executive Orders. The bill 
passed out of committee does that. Also with respect to information 
sharing, that is achieved through the National Cyber security and 
Communications Integration Center. So I think those two key com- 
ponents are addressed in the bill. 

But let me just say this to the Ranking Member. I hope that we 
can work together to make this bill out of this important com- 
mittee, with the agency that really is in the forefront and the cen- 
ter of cybersecurity. I hope we can work together to make this a 
more bipartisan bill and proceed to the House floor. 

With that, other Members are reminded that opening statements 
may be submitted for the record. We are pleased to have a very dis- 
tinguished panel here before us today. 

First, Mr. Henry needs probably little or no introduction and I 
can’t tell you how pleased I am to have him here today. He has 
been a real leader in this area. He is a former executive assistant 
director of the Criminal, Cyber, Response, and Services Branch of 
the FBI, really at the forefront of this effort for so many years. He 
was responsible for all FBI world-wide computer investigations. Ad- 
ditionally, he was an original member of the National cyber study 
group which developed a comprehensive National Cybersecurity 
Initiative. 

Next we have a dear friend of mine, a colleague, somebody I 
worked with, as the Ranking Member mentioned, on the CSIS 
Commission report on cybersecurity. Dr. James Lewis. Jim is a 
senior fellow and director of the Technology and Public Policy Pro- 
gram at the Center for Strategic and International Studies focusing 
on technology. National security and the international economy. 
Previously he was the project director for the CSIS Commission on 
Cybersecurity for the 44tli Presidency. Jim, great to see you here 
again today. 

Next we have Mr. Gregory Wilshusen. It is hard to say that 
three times in a row and get it right. But Greg is the director of 
information security issues at the GAO where he leads information 
security-related studies and audits of the Federal Government. 
Thank you for being here as well. 

Next we have Mr. Stuart McClure who is the executive vice 
president and the worldwide chief technology officer at McAfee. 
Most of you know McAfee is a leader in cyb^ersecurity efforts. At 
McAfee he also served as senior vice president of global threats and 
research. 
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Finally we have Dr. Flynn. Dr. Stephen Flynn is the founding co- 
director of the George Kostas Research Institute for Homeland Se- 
curity at Northeastern University. Prior to September 11 he served 
as an expert advisor to the U.S. Commission on National Security, 
the Hart-Rudman Commission. Dr. Flynn served in the Coast 
Guard on active duty for 20 years, and we thank you for your serv- 
ice, Dr. Flynn, in that regard. 

So with that, the Chairman now recognizes Mr. Henry for his 
testimony. 

STATEMENT OF SHAWN HENRY, FORMER EXECUTIVE ASSIST- 
ANT DIRECTOR, CRIMINAL, CYBER, RESPONSE, AND SERV- 
ICES BRANCH, FEDERAL BUREAU OF INVESTIGATION 

Mr. Henry. Good afternoon Chairman McCaul, Ranking Member 
Keating, and Members of the subcommittee. I am pleased to be 
here today with the distinguished witnesses to discuss the cyber 
threats facing our Nation and how these threats impact our Gov- 
ernment and our private-sector networks. It is difficult to overstate 
the potential harm these threats pose to our economy, our National 
security, and the critical infrastructure upon which our country re- 
lies. 

I am currently the president of CrowdStrike Services, a computer 
security organization. But up until last month I led all the FBI 
cyber efforts, as the Chairman noted, and I saw with deep granu- 
larity the threats that we face. The number and sophistication of 
these cyber attacks has increased dramatically over the past 5 
years and it is going to continue to grow. The threat has reached 
the point that given enough time, motivation, and funding, a deter- 
mined adversary will likely penetrate any system that is accessible 
directly from the network. I do not believe our critical infrastruc- 
ture can remain unscathed in the long term if the current environ- 
ment remains unchanged. With the depth and breadth of the intru- 
sions that I have seen, I believe it is necessary for network admin- 
istrators to assume that they have already been breached rather 
than waiting for their network intrusion systems to alert them to 
an infiltration. 

Network security compliance in and of itself falls far short of the 
continuous evaluation that needs to be done on our networks every 
single day. Cyber criminal threats to the United States result in 
significant economic losses. Cyber criminals are forming private 
trusted and organized groups to conduct cyber crime, and these 
groups are accessing personally identifiable information which in- 
cludes banking, brokerage account information, credentials and 
credit card numbers of individuals and businesses that can be used 
for financial gain. The economic consequences are severe, and there 
have been hundreds of millions of dollars lost in the financial serv- 
ices sector alone. 

But that doesn’t even begin to tell the real story about what is 
happening to this Nation. A colleague of mine recently used an 
analogy where an iceberg represents the totality of threats to the 
information infrastructure. Cyber crime, as I have just described, 
is merely the tip of the iceberg. The biggest threats are below the 
waterline, just like the vast majority of an iceberg. The public sees 
the tip because cyber crime is regularly reported in the media — 
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stolen credit cards, lost identities, eastern European organized 
crime groups, and breached bank accounts. The waterline is the 
separation between the unclassified and classified environment. 
Thus, the most sophisticated and damaging attacks occur primarily 
out of the public sight. 

I would offer that only a small percentage of individuals, pri- 
marily those in the intelligence community, have ever seen below 
the waterline, and the real threat is grossly underappreciated by 
the public. 

The most significant cyber threats to our Nation are those with 
high intent and high capability to inflict damage or even death in 
the United States, to illicitly acquire substantial assets, or to ille- 
gally obtain sensitive or unclassified U.S. military, intelligence, or 
economic information. These are the threats from foreign intel- 
ligence services who assault U.S. businesses many times every sin- 
gle day, 365, and for those I have seen below the waterline. 

The threat continues unabated. U.S. critical infrastructure faces 
a growing threat due to advancements in the availability and so- 
phistication of malicious software tools and the fact that new tech- 
nologies raise new security issues that are not always addressed 
prior to adoption. Specifically, industrial control systems which op- 
erate the physical processes of the Nation’s pipelines, electricity, 
and other critical infrastructures are at elevated risk of cyber ex- 
ploitation. 

Today, likely only advanced threat actors are capable of employ- 
ing these techniques. But as we have seen with other malicious 
software tools, these capabilities will eventually be within reach of 
all threat actors. 

So what does this all mean? I believe most major companies have 
already been breached or will be breached, resulting in substantial 
losses of information, economic competitiveness, and National secu- 
rity. Many are breached and have absolutely no knowledge that an 
adversary was or remains resident on their network, oftentimes for 
weeks, months, or even years. 

While I was executive assistant director at the FBI, our agents 
regularly knocked on the door of victim companies and told them 
their network had been intruded upon and their corporate secrets 
had been stolen because we found their proprietary data resident 
on a server in the course of another investigation. We were rou- 
tinely telling organizations they were victims, and these victims 
ranged in size and industry and cut across all financial critical sec- 
tors, or all critical sectors. 

For those companies that do know and fail to report or address 
the breach, they are aiding and assisting in the foreign intelligence 
service collection, and their corporate infrastructure is a component 
of the adversary’s collection platform. Although our adversary cyber 
capabilities are at an all-time high, combating this challenge needs 
to be a top priority for both the public and the private sector. 

The adversary is persistent. It is not enough to stop their attack 
once or twice. They will keep coming until they get in. The problem 
with existing technologies and threat mitigation tactics is they are 
too focused on adversary tools like malware and exploits, and not 
on who the adversary is and how they operate. 
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Ultimately, we focus on the enemy and take the fight to them to 
raise their cost of attack, and we will fail because they will always 
get through if we don’t take that approach. This requires us to stop 
solely playing defense. The sophisticated adversary practices crafty 
offense and the offense outpaces the defense. While we certainly 
need to continue defense and not let our guard down, we need to 
be more proactive and strategic in our approach. We cannot stand 
by and wait for them to trip an alarm as they shake the proverbial 
fence, because the sophisticated adversaries are jumping right over 
the fence. They are never tripping an alarm. They are bypassing 
the intrusion detection systems. We must assume that they are al- 
ready inside the perimeter and we must constantly hunt them on 
our networks to identify and mitigate their actions. 

Hunting necessitates us acquiring a better sight picture of who 
the adversary is, the assets they are targeting, the techniques they 
are employing and who exactly they are. This is where intelligence 
sharing is critical. 

Technology is just a piece of the solution, not the sole solution. 
What we have is an adversary problem, not a malware problem. 
Let me repeat that piece about intelligence. The sharing of intel- 
ligence is critical and the U.S. Government needs to develop better 
protocols to share intelligence broadly across the private sector. 

In conclusion, we face significant challenges in our efforts to com- 
bat the cyber attack. I am optimistic that by strengthening part- 
nerships and effectively sharing intelligence and successfully iden- 
tifying our adversaries, we can best protect our businesses and crit- 
ical infrastructure. However, I would be remiss if I didn’t say this: 
Recognizing this is a complex problem; there are many moving 
parts. I appreciate the committee’s statement about the sense of ur- 
gency. It is really, really important because our Nation is at risk 
and we cannot stand by and admire this problem. 

I look forward to working with the subcommittee and Congress 
as a whole to determine a successful course forward and ensure 
that we can have a safe, positive, economic, and social benefit from 
the internet while minimizing the risks posed to us by our adver- 
saries. 

[The prepared statement of Mr. Henry follows:] 

Prepared Statement of Shawn Henry 
April 24, 2012 

Good afternoon Chairman McCaul, Ranking Member Keating, and Members of 
the subcommittee. I’m pleased to be here today to discuss the cyber threats facing 
our Nation and how these threats impact our Government and private-sector net- 
works. It is difficult to overstate the potential harm these threats pose to our econ- 
omy, our National security, and the critical infrastructure upon which our country 
relies. 


THE CYBERSECURITY THREAT 

As the subcommittee is aware, the number and sophistication of cyber attacks has 
increased dramatically over the past 5 years and is expected to continue to grow. 
The threat has reached the point that, given enough time, motivation, and funding, 
a determined adversary will likely penetrate any system that is accessible directly 
from the internet. Even systems not touching the network are susceptible to attack 
via other than remote access, including the trusted insider using devices such as 
USB flash drives, and the supply chain. 
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It is difficult to say with confidence that our critical infrastructure — the backbone 
of our country’s economic prosperity, National security, and public health — will re- 
main unscathed and always be available when needed. In fact, I have stated pub- 
licly that with the depth and breadth of the intrusions I’ve seen, I believe it is nec- 
essary for network administrators to assume they have already been breached rath- 
er than waiting for their intrusion detection systems to alert them to an infiltration. 

CRIMINAL CYBER THREATS AGAINST THE PRIVATE SECTOR 

Cyber criminal threats to the United States result in significant economic losses. 
Cyber criminals are forming private, trusted, and organized groups to conduct cyber 
crime. The adoption of specialized skill sets and professionalized business practices 
by these criminals is steadily increasing the complexity of cyber crime by providing 
actors of all technical abilities with the necessary tools and resources to conduct 
cyber crime. Not only are criminals advancing their abilities to attack a system re- 
motely, they are becoming adept at tricking victims into compromising their own 
systems. 

Once a system is compromised, cyber criminals will use their accesses to obtain 
Personally Identifiable Information (PII), which includes on-line banking/brokerage 
account credentials and credit card numbers of individuals and businesses that can 
be used for financial gain. As cyber crime groups increasingly recruit experienced 
actors and pool resources and knowledge, they advance their ability to be successful 
in crimes against more profitable targets and will learn the skills necessary to evade 
the security industry and law enforcement. 

The potential economic consequences are severe. The sting of a cyber crime is not 
felt equally across the board. A small company may not be able to survive even one 
significant cyber attack. 

Often, businesses are unable to recoup their losses, and it may be impossible to 
estimate their damage. Many companies prefer not to disclose that their systems 
have been compromised, so they absorb the loss, making it impossible to accurately 
calculate damages. As a result of the inability to define and calculate losses, the 
best that the Government and private sector can offer are estimates. Over the past 
5 years, estimates of the costs of cyber crime to the U.S. economy have ranged from 
millions to hundreds of billions. A 2010 study conducted by the Ponemon Institute 
estimated that the median annual cost of cyber crime to an individual victim organi- 
zation ranges from $1 million to $52 million. 

According to a 2011 publication released by Javelin Strategy and Research, the 
annual cost of identity theft is $37 billion. This includes all forms of identity theft, 
not just cyber means. The Internet Crime Complaint Center (ICS), which aggregates 
self-reported complaints of cyber crime, reports that in 2010, identity theft schemes 
made up 9.8 percent of all cyber crime. 

THE TIP OF THE ICEBERG 

A colleague of mine recently used an analogy where an iceberg represents the to- 
tality of threats to the information infrastructure. “Cyber crime”, as described above, 
is merely the tip of the iceberg; the biggest threats are “below the water line”, just 
like the vast majority of an iceberg. The public sees “the tip” because the cyber 
“crime” is regularly reported in the media; stolen credit cards, lost identities, East- 
ern European Organized Crime groups; and breached bank accounts. The “water 
line” is the separation between the unclassified and classified environment; thus, 
the most sophisticated and damaging attacks occur primarily out of the public’s 
sight. 

I would offer that only a very small group of individuals — primarily those in the 
intelligence community — have ever seen “below the water line”, and the real threat 
is grossly underappreciated by the public. The most significant cyber threats to our 
Nation are those with high intent and high capability to inflict damage or even 
death in the United States; to illicitly acquire substantial assets; or to illegally ob- 
tain sensitive or classified U.S. military, intelligence, or economic information. 
These are the threats from foreign intelligence services, and for those I have seen 
below the waterline. 

CYBER THREATS TO U.S. CRITICAL INFRASTRUCTURE 

The threat continues unabated. U.S. critical infrastructure faces a growing cyber 
threat due to advancements in the availability and sophistication of malicious soft- 
ware tools and the fact that new technologies raise new security issues that are not 
always addressed prior to adoption. The increasing automation of our infrastruc- 
tures provides more cyber access points for adversaries to exploit, and the target 
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set grows daily as more and more data is pushed, transmitted, or stored on the net- 
work. 

New “smart grid” and “smart home” products, for example, designed to provide 
remote communication and control of devices in our residences, businesses, and crit- 
ical infrastructures, must be developed and implemented in ways that will also pro- 
vide protection from unauthorized use. Otherwise, each new device will become a 
doorway into our systems for adversaries to use for their own purposes. 

Industrial control systems, which operate the physical processes of the Nation’s 
pipelines, railroads, and other critical infrastructures, are at elevated risk of cyber 
exploitation. We need to be concerned about the proliferation of malicious tech- 
niques that could degrade, disrupt, or destroy critical infrastructure. Though likely 
only advanced threat actors are currently capable of employing these techniques, as 
we have seen with other malicious software tools, these capabilities will eventually 
be within reach of all threat actors. 

WHAT DOES ALL THIS MEAN? 

I believe most major companies have already been breached or will be breached, 
resulting in substantial losses of information, economic competitiveness, and Na- 
tional security. Many are breached and have absolutely no knowledge that an adver- 
sary was or remains resident on their network, often times for weeks, months, or 
even years. While I was EAD at the FBI, our agents regularly knocked on the door 
of victim companies and told them their network had been intruded upon and their 
corporate secrets stolen, because we found their proprietary data resident on a serv- 
er in the course of another investigation. We were routinely telling organizations 
they were victims, and these victims ranged in size and industry, and cut across 
all critical sectors. 


ADDRESSING THE THREAT 

Although our cyber adversaries’ capabilities are at an all-time high, combating 
this challenge needs to be a top priority for both the public and the private sector. 
We need to continue to develop partnerships within industry, academia, and across 
all of Government to have a dramatic improvement in our ability to share intel- 
ligence to combat this threat. 

The adversary is persistent. It’s not enough to stop their attack once or twice; 
they will keep trying until they get in. The problem with existing technologies and 
threat-mitigation tactics is they are too focused on adversary tools (malware and ex- 
ploits) and not on who the adversary is and how they operate. Ultimately, until we 
focus on the enemy and take the fight to them to raise their cost of attack, we will 
fail because they will always get thorough. 

This requires us to stop relying solely on “defense.” The sophisticated adversary 
practices crafty offense, and the offense outpaces the defense. While we certainly 
need to continue defense — we cannot let our guard down — we need to be more 
proactive and strategic in our approach. 

We cannot stand by and wait for them to trip an alarm as they shake the prover- 
bial fence; sophisticated adversaries jump OVER the fence, bypassing the intrusion 
detection “alarm” entirely. We must assume they are already inside the perimeter, 
and we must constantly hunt them on our networks to identify and mitigate their 
actions. 

Hunting necessitates us acquiring a better site picture of the adversary — what as- 
sets are they targeting, what techniques are they employing, and who, exactly, are 
they? This is where intelligence sharing is critical; using advanced intelligence tech- 
nology, companies can share information enabling them to learn the human aspects 
of the attack, become more predictive, and thus preventative. Technology is a piece 
of the solution, not the sole solution, because what we really have is an adversary 
problem. 


CONCLUSION 

We face significant challenges in our efforts to combat the cyber threat. I am opti- 
mistic that by strengthening partnerships, effectively sharing intelligence, and suc- 
cessfully identifying our adversaries, we can best protect businesses and critical in- 
frastructure from grave damage. 

I look forward to assisting the subcommittee and Congress as a whole to deter- 
mine a successful course forward for the Nation that allows us to reap the positive 
economic and social benefits of the internet while minimizing the risk posed by 
those who seek to use it to do us irreparable harm. 
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Mr. McCaul. Thank you Mr. Henry for your service and for your 
insight to this committee. 

Next, the Chairman recognizes Mr. Lewis. 

STATEMENT OF JAMES A. LEWIS, DIRECTOR AND SENIOR FEL- 
LOW, TECHNOLOGY AND PUBLIC POLICY PROGRAM, CEN- 
TER FOR STRATEGIC AND INTERNATIONAL STUDIES 

Mr. Lewis. Thank you, Mr. Chairman. Thanks to the Members 
of the committee for the opportunity to testify. Many of you, of 
course, are already familiar with the problem, so I will touch on 
two issues in particular: Cyber espionage and cyber attack. Cyber 
espionage is our biggest problem, as you just heard, but most 
breaches are not reported. The best example is the 2010 Google in- 
cident which involved at least 35 other Fortune 500 companies, 
none of whom reported a problem. Concealing losses makes busi- 
ness sense, but it also makes it hard to plan a good defense. Per- 
haps the new SEC ruling will change this, but it hasn’t changed 
yet. 

It is difficult to value the loss from cyber espionage, but all the 
estimates I have looked at put it in the tens or even hundreds of 
billions of dollars per year. The damage from espionage depends on 
whether the acquiring nation can use the technology. Sometimes it 
can take years for them to benefit. In other cases the benefit can 
be immediate, and we can identify foreign programs that appear to 
be based on U.S. technology. The clearest damage comes from the 
loss of military technology, but America’s technological leadership 
and economic competitiveness is at risk. The fastest growing threat 
comes from the proliferation of the ability to attack critical infra- 
structure. 

We have been hearing about cyber Pearl Harbors and cyber Ar- 
mageddons for about 15 years, and a reasonable person could ask: 
Why isn’t this hype? Here is why it is not hype. Experiments at 
Idaho National Labs in 2007 showed that software sent over the 
internet could cause physical destruction by exploiting 
vulnerabilities in industrial control systems. Stuxnet confirmed 
this. There has been at least one other unreported incident. Just 
yesterday we saw oil facilities in Iran damaged by cyber attack. 

Only a few countries currently have this capability but new 
classes of opponents want them and are seeking to acquire them. 
This includes Iran and North Korea. These regimes are not known 
for stable decision making. Both have development programs and 
both have experimented with attacks. FBI Director Mueller points 
out that Iran may be losing its reluctance to attack the United 
States directly. 

Non-state actors, particularly Western anti-Government groups, 
are also exploring cyber attack. You can download the tools that 
will find critical infrastructure vulnerabilities easily off the inter- 
net. I did it last week and I toyed around with it and found 6,000 
vulnerable networks. It was kind of fun. Combine these reconnais- 
sance tools with the attack tools available in the cyber crime black 
market, and someone with good hacking skills — and there are 
many in these groups — could attack the poorly-defended critical in- 
frastructures that are found in this country. 
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As cyber attack capabilities become commoditized, the tempta- 
tion for these politically motivated groups to use them against vul- 
nerable U.S. targets will increase. The greatest threat to cybersecu- 
rity in America, however, is complacency. There are some in the 
internet community who still believe that the internet can heal 
itself This is just naive. There are some business groups who 
ar^e that a disaggregated, voluntary approach to cybersecurity 
guided by information sharing will be adequate. This was tried in 
the Clinton administration. It did not work then, it does not work 
now, it will not work in the future when our opponents are more 
advanced and when we are more dependent on cyber space. 

The future of threats in cyber space involves the diffusion and 
the commoditization of attack capabilities. It will involve an in- 
creased number of privacy breaches and the loss of intellectual 
property. There are a number of steps that could reduce these 
risks, but unfortunately it appears that we may need to wait for 
a damaging cyber attack to make us move. 

I appreciate all the work the committee has done, both the full 
committee and the subcommittees. I know you are trying hard, but 
I think this attack is inevitable. Thank you for the opportunity to 
testify and I look forward to your questions. 

[The prepared statement of Mr. Lewis follows:] 

Prepared Statement of James A. Lewis 
April 24, 2012 

Every week — it’s getting kind of boring — we read about hackers pilfering some 
company’s database and stealing data on thousands or even millions of individuals. 
These are private-sector networks and they point to a crucial problem for assessing 
cybersecurity. Government agencies have to be transparent about breaches. Compa- 
nies have to report breaches when it affects consumer privacy. But companies don’t 
have to report breaches involving intellectual property or critical infrastructure. In 
fact, it is in their interest to conceal them. Perhaps the new Security and Exchange 
Commission Ruling that asks companies to report cyber incidents that damage 
shareholder value will change this, but it is too early to tell. 

So we have frequent reports of penetrations to governments’ systems, weekly or 
daily reports of penetrations of company networks that affect privacy, and almost 
no reports of penetrations affecting intellectual property and critical services. This 
pattern is not credible — the level of privacy-related penetrations companies report 
is likely to also be the real level of intellectual property-related penetration. It’s just 
not reported. We know from anecdotal data and from a few published instances that 
these network penetrations occur frequently. This anomaly in the reporting suggests 
we really lack — in open-source information — a clear understanding of the threat to 
the American private sector, and that protestations that private networks are secure 
or do a better job are, to put it charitably, inaccurate. 

An accurate assessment of threats in cyber space is essential for effective defense. 
A defense built on fictions will fail the first time it is tested. There is too much 
wishful thinking and complacency in the face of a threat that is growing as potential 
attackers acquire new capabilities and as our economy becomes more dependent on 
the internet and other cyber technologies. Digital networks are now the backbone 
of economic activity and National security, but our efforts to secure them remain 
haphazard, putting our Nation at risk. We can better understand this risk by look- 
ing at three separate categories of threat — espionage, crime, and attack. 

Our adversaries include powerful states, skilful criminals, and a range of extrem- 
ist groups. We are hampered in our defense against these opponents when we try 
to treat cybersecurity as a business problem. Some companies will take adequate 
defense measures; other will not. It makes business sense for an intelligence agency 
to spend lavishly to penetrate an opponent’s network. It does not make business 
sense for companies to spend at the same rate to defend. To put this in military 
terms, we have an uncoordinated defense that is easy to defeat in detail. 

Cyber espionage is the most pressing threat we face. The loss of intellectual prop- 
erty and business confidential information — economic espionage — using hacking and 
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other techniques poses a threat to National security by undermining the military 
advantage provided by technology and by damaging economic competitiveness. The 
rate and degree to which National security is damaged depends, of course, on the 
ability of the acquiring nations to actually use the technology they steal and on 
America’s own economic policies and Government support for science and engineer- 
ing — our own economic policies and laws probably do more damage than cyber espio- 
nage — but there are many troubling incidents that suggest that real harm is being 
done. A major oil company lost exploration data worth hundreds of millions to a for- 
eign attacker. We all know the Google case — at least 34 other high-tech companies 
were also penetrated, although they did not report the fact. Foreign hackers took 
IMF and G-20 documents relating to global financial negotiations. The delays and 
cost overruns in the F-35 program may be the result of cyber espionage, as could 
the rapid development of China’s J-20 stealth fighter. Industries as diverse as 
chemicals, telecommunications, and solar energy have all suffered from cyber espio- 
nage. 

The most harmful form of cyber espionage is state-directed. Foreign nation-state 
opponents are sophisticated intelligence agencies and advanced militaries whose 
business is to defeat network defenses and who have a demonstrated capacity to 
easily exploit commercial and Government networks. They have resources and per- 
sistence and their work can be seen as an extension of traditional espionage activi- 
ties. Our network defenses are so poor, particularly in the “dot.com” space, that the 
effort to break in probably only takes these agencies and their proxies a few months 
of effort. 

There is no convincing estimate of the cost of economic espionage to the United 
States. One study put the cost at perhaps $30 billion a year (in 2011 dollars) but 
other studies estimate the loss to be in the hundreds of billions. These higher fig- 
ures exaggerate loss, but whatever the dollar figure, the illicit acquisition of tech- 
nology and the loss of confidential political and business information hurts Amer- 
ican security. The insight into Government policies, and strategic industries pro- 
vided by cyber espionage, and the acceleration of competitor technological develop- 
ment, provide foreign competitors with a tangible advantage that harms the United 
States. The committee may wish to ask, for example, for classified briefing on im- 
provements in China’s stealth and submarine capabilities and the possible relation 
between these improvements and hacking incidents at defense contractors over the 
last decade. 

We do not want to assume that losses are distributed evenly across all sectors of 
the economy. State-sponsored espionage will focus on area of concern to govern- 
ments: Advanced technologies in aerospace, materials, information technology, and 
sensors, as well as commercially valuable financial data and energy-related informa- 
tion. Semiconductors and solar energy have been prime targets recently. Private en- 
tities also engage in cyber espionage, in many cases they do so with the acceptance 
of their governments. Hacking by private companies and individuals could engage 
a much broader swath of companies and technology. This probably reflects not only 
commercial interests but also an official policy to encourage the illicit acquisition of 
technology as a way to promote economic growth. 

Cyber espionage ranks first as a threat to the United States and other developed 
countries. Cyber crimes focused on financial gain are a lesser threat, but they dam- 
age public safety by putting private citizens and companies at risk of monetary loss. 
Anecdotal evidence suggests that crime against banks and other financial institu- 
tions probably costs the United States a several hundred million dollars every year. 
This is not a major economic loss, but harms American citizens and does some dam- 
age to our economy. However, cyber crime also threatens National security in that 
it allows potential opponents to maintain and train proxy forces at our expense. Na- 
tions like Russia and China are sanctuaries for cyber crime because it allows them 
to maintain “irregular forces” in cyber space — hackers who can be tapped to do the 
state’s bidding in espionage, coercion, or attack. 

A recent opinion piece in a leading newspaper illustrates how confusing the dis- 
cussion of cybersecurity has become, and helps explain why America may be too 
slow in constructing adequate defenses. The essay posited that most cyber criminals 
did not make much money, and that the threat they posed was overblown. You can 
test this formula by applying to it mugging: Most muggers do not make much 
money, so by the same logic, mugging is not a problem. This formula is divorced 
from any serious concept of public safety. Similarly, the National security implica- 
tions of cyber crime were overlooked. Since cyber criminals are the proxy forces — 
the irregulars — that our two most dangerous opponents in cyber space use for Na- 
tional ends, cyber crime is an indirect and unwitting subsidies from American com- 
panies to foreign military and intelligence services. 
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Cyber espionage and crime happen on a daily basis. This is [sic] nto the for [sic] 
cyber attacks against critical infrastructure or services, which have been few and 
far between. The threat comes from the spread of attack capabilities. In 2007, tests 
at the Idaho National Labs showed that sending malicious instructions via computer 
networks to the industrial control systems used to run critical infrastructure could 
cause machines to destroy themselves. Stuxnet produced a similar effect. These inci- 
dents showed that software can be sued as a weapon, and the internet as a delivery 
vehicle. Espionage and crime exploit vulnerabilities in networks technologies; at- 
tacks on critical infrastructure compound this by exploiting not only network 
vulnerabilities but also the vulnerabilities in industrial control systems. There is no 
economic incentive to fix these control vulnerabilities because they will not affect 
normal operations and they will become visible only when there is an attack. While 
the cost of cyber crime is relatively small, it is an integral part of other, more dan- 
gerous threat we face, including the ability to launch a damaging cyber attack. 

These attacks have been long prophesied, but we have only seen two or three. 
Only a few nations have the capability to destroy critical infrastructure and they 
are unlikely to use it outside of a war. We know that our two most likely military 
opponents have the capability to penetrate networks, scramble data, disrupt critical 
services, and even cause physical damage. We also know that they are more 
deterrable, more responsible, and in the case of China, face major disincentives, as 
a disruptive cyber attack would do as much damage to their own country, given how 
deeply our two nations’ economies are intertwined. 

You sometimes hear analysts say that we are in a covert cyber war with China. 
This is inaccurate. We should stop trying to cram our complicated relationship with 
China into a simple Cold War framework. China and the United States are inter- 
dependent in ways that were inconceivable for the United States and Soviet Union. 
China is challenging the United States, but it is not a peer-competitor. Although it 
is rapidly increasing its military capabilities, it does not pose the existential threat 
to the United States that the Soviet Union posed. Given the deep distrust and hos- 
tility between the two nations, and the competition for regional and global influence, 
cybersecurity is a potential flashpoint in the bilateral relationship and a source of 
growing tension, but this is not war. 

The number of nations seeking to acquire cyber attack capabilities is Rowing rap- 
idly — cyber attack is becoming a standard element in military planning. A more 
troubling development is that new classes of opponents are seeking the ability to 
launch cyber attacks. These new classes of opponents will not be as easily con- 
strained. They are more likely to use cyber attack and all evidence suggests that 
we have nothing in the way of adequate defense. We simply do not take the threat 
of cyber attack seriously — would anyone not paid to do so argue that information 
sharing and voluntary action would protect us from terrorism? Or that telling com- 
panies what missiles and aircraft look like would be an adequate defense against 
a nuclear strike? But it is an American tradition to be surprised by opponents and 
only take action after the first attack. 

The area of greatest concern is in the diffusion of the ability to attack critical in- 
frastructure, to less responsible and less deterrable actors who may calculate that 
it is in their interest to launch a cyber attack against the United States. Attack ca- 
pabilities could spread if private hackers to independently discover the techniques 
currently possessed by governments. Some members of the hacker community have 
amazing capabilities. Another way attack capabilities could spread would be for 
hackers who are government proxies in Russia and China to “commercialize” the 
skills and tools they have been provided for official purposes. These proxies receive 
training and support from military and intelligence agencies. They also participate 
in the cyber crime black markets. The flow from government agencies to proxies to 
the black market is likely, although it appears that governments still reserve the 
most advanced attack technique to themselves. 

It is difficult to assess how rapidly attack capabilities are growing outside of gov- 
ernments, and the actual transmission mechanism for cyber attack tools is unclear. 
For example, more than a decade ago, foreign intelligence agencies had the ability 
to activate cell phones and use them as listening devices even if they were turned 
off Variants of this technique appear to be entering the black market. We do not 
know if it is because someone is commercializing a skill they learned from govern- 
ment service or if it is an independent discovery. People play with the technology 
and code — this is the original meaning of hacking — and find how to do interesting 
things the designers never intended or suspected were possible. 

The most advanced exploits are still out of reach, however, for all but large, well- 
resourced attackers. Stuxnet, for example, combined deep engineering knowledge 
and clandestine intelligence techniques with advanced hacking skills. Private hack- 
ers and most governments do not yet have the capability to launch a Stuxnet-like 
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attack (but this is coming). That some of the Stuxnet code is publicly available does 
not really increase risk. Many cyber attacks are “single-use” exploits that work as 
a surprise but are much less effective after the target reacts and adjusts. In the 
United States, for example, a 2010 survey found that three-quarters of American 
utilities said they had put in place defenses against Stuxnet. These utilities would 
most likely be able to deflect a Stuxnet-like attack, while only the others would still 
be vulnerable. 

Stuxnet has increased risk as it has shown the world how to stage a damaging 
cyber attack, but there are many options other than Stuxnet. Unfortunately, even 
private hackers can exploit freely available information on vulnerabilities and pene- 
tration techniques to attack many commercial networks and the critical infrastruc- 
ture connected to them. Why use an advanced attack like Stuxnet when a simple 
attack will work so well? There are tools that allow anyone to scan the internet to 
find unprotected digital devices at critical infrastructure facilities that connect con- 
trol systems to the internet. You can scan for devices that are improperly config- 
ured, devices such as wireless routers that come from the manufacturer with the 
password set as “password.” It does not take a mastermind to break into such sys- 
tems. 

These tools are widely available. Informal tests using these tools can find several 
thousand insecure connections in the United States on any given day. They provide 
a “consumer version” of the cyber reconnaissance an advanced power would carry 
out in planning an attack against the United States. Combine these publicly avail- 
able reconnaissance tools with attack tools available on the cyber crime black mar- 
ket, and anyone with sufficiently advanced hacking skills will be able to attack poor- 
ly defended critical infrastructure or other commercial targets. 

The diffusion and consumerization of attack capabilities is not the only growing 
source of threat. We must also consider motivation and intent, in addition to capa- 
bility. The few nations that currently possess advanced cyber attack capabilities are 
deterred by American military force or they are our allies. Most cyber criminals only 
engage in actions that generate income. Attacking critical infrastructure does not 
generate income unless extortion is involved (by threatening to disrupt services if 
the criminal is not paid). Cyber criminals have no motive to launch a cyber attack 
unless they are acting as government proxies or unless they have been hired as 
mercenaries. 

This is where the nexus between the diffusion of attack capabilities and intent 
become important. There are countries and groups that would like to attack the 
United States and are not as deterrable as our current adversaries. As nations and 
hackers develop more sophisticated attack capabilities and as sophisticated attack 
tools become available on the cyber crime black market, the threat of attack is in- 
creasing. 

We know that two countries hostile to the United States are developing cyber at- 
tack capabilities. North Korea has been pursuing cyber capabilities for more than 
a decade but the backwardness of its economy has so far limited its success. North 
Korea lacks easy access to advanced technologies. Its tightly controlled population 
is an unlikely source of hackers, as North Koreans do not have the independence 
and internet access hackers need to thrive. Technological backwardness and political 
culture are major obstacles to developing strong hacking capabilities, but, as with 
nuclear weapons, if North Korea is able to support sustained investment in cyber 
attack capabilities and find some outside support, it will eventually acquire them. 
North Korea’s erratic behavior suggests it will use cyber attacks against South 
Korea, Japan, or U.S. forces in Korea, should it succeed in its long quest to obtain 
a cyber attack capability. 

Iran is a more troubling case. Iran has also been pursing the acquisition of cyber 
attack capabilities for several years. Iran has been for many years willing to attack 
U.S. forces and embassies in the region, and FBI Director Mueller stated in recent 
testimony that Iran is more willing to carry out attacks inside the United States. 
Statements by Iranian officials show that they believe that the United States, along 
with Israel, was responsible for the Stuxnet attacks and suggest that they believe 
they would be justified in retaliating in kind. Iran’s attack capabilities are still lim- 
ited but they have probed Israeli networks in what appear to be tests. Iranian hack- 
ers have greater access to the internet and to the cyber black market than North 
Korea, suggesting that their development of cyber capabilities will be more rapid. 

Iran, even more than North Korea, could miscalculate the costs of a cyber attack 
against the United States. Iran has groups that it sponsors, like Hezbollah, that it 
has used in the past to attack Americans. The Iranians may believe that these prox- 
ies will make it difficult for the United States to attribute an attack and this will 
reduce their perceptions of the risk of a cyber attack on American targets. Iran rou- 
tinely exaggerates its military capabilities and its claims of cyber prowess are dubi- 
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ous, but there is a clear commitment (as with nuclear weapons) by the regime to 
continue its efforts to acquire the ability to launch cyber attacks. 

Finally there are non-state, anti-American and activist groups that already make 
extensive use of the internet. As cyber attack capabilities become “commoditized,” 
the temptation for these politically motivated groups to use them against vulnerable 
U.S. targets will increase. We have not seen terrorist groups use cyber attacks — 
they seem to have neither the capability nor the interest — but since these groups 
make extensive use of the internet they could eventually be attracted to cyber at- 
tack if the means to carry it out are easily available. Some non-state actors are 
grouped under the label “Anon 3 Tnous,” a disparate and decentralized federation of 
internet activists where many members espouse anti-government or anti-American 
ideas. The name “Anonymous” is misleading, however, as it implies a single entity. 
Anyone can say they are “Anonymous,” from individuals posting comments on 
4Chan to members of foreign intelligence agencies (for whom “false flag” operations 
are routine). In a few cases, it appears that cyber criminals have used the name 
Anonymous when carrying out their for-profit exploits. 

These threats are all external, but greatest threat to America’s cybersecurity come 
from inside. This threat is complacency and it has two sources. In the internet com- 
munity, there are many who still believe that the internet can heal itself, that civil 
society and multi-stakeholder internet governance will ultimately provide adequate 
security. They say that threats in cyber space are exaggerated and that better cy- 
bersecurity puts privacy and the alleged virtues of an open internet for innovation 
at risk. This is simply naive and outdated. This sort of approach has never worked 
anywhere else, and it is not working now in cyber space. 

At the same time, business groups underestimate the threat we face and continue 
to assert that some sort of disaggregated, voluntary approach to cybersecurity, guid- 
ed by better information sharing, will be adequate to protect the Nation. This, of 
course, was the approach adopted by the Clinton administration in 1998. It did not 
work then and it does not work now. It will not work in the future when our oppo- 
nents are even more advanced and when we are even more dependent on cyber 
space. Simplifying the regulatory and tax structure would be immensely beneficial 
for our economy, but it is a non-sequitur to argue that blocking mandatory stand- 
ards for cybersecurity somehow compensates for any over-regulation of commercial 
activities. 

The future of threats in cyber space will involve the diffusion and commoditization 
of attack capabilities. It will involve an increased number of privacy breaches and 
the loss of intellectual property and confidential business information. The situation 
is not static and could change rapidly. There are a number of steps we could take 
to reduce risk, but these steps face insurmountable political obstacles that will not 
disappear until after a damaging cyber event. To prepare itself for the inevitable, 
the committee may wish to ask for a classified briefing on the best available intel- 
ligence estimate for when America will experience a cyber attack. 

Mr. McCaul. Thank you, Jim, for your testimony and your serv- 
ice to the country on this important issue. 

With that, the Chairman now recognizes Mr. Wilshusen. 

STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFOR- 
MATION SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY 

OFFICE 

Mr. Wilshusen. Chairman McCaul, Ranking Member Keating, 
and Members of the subcommittee, thank you for the opportunity 
to testify at today’s hearing on cyber-based threats facing our Na- 
tion. The increasing dependency of IT systems and network oper- 
ations pervades nearly every aspect of our society. In particular, in- 
creasing network interconnectivity has revolutionized the way our 
Government, our Nation, and much of the world communicate and 
conduct business. While bringing significant benefits, this depend- 
ency also creates vulnerabilities to cyber-based threats. Today I 
will describe some of those threats, vulnerabilities, and reported se- 
curity incidents affecting the Nation’s systems. 

But first, if I may, Mr. Chairman, I would like to recognize sev- 
eral members of my team who were instrumental in preparing this 
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statement. One, Mike Gilmore, is behind me. Back at the office 
Anjalique Lawrence, Lee McCracken, and Kristi Dorsey played a 
pivotal role in developing these statements. 

Mr. Chairman, the Nation faces an evolving array of cyber-based 
threats. These threats can be intentional and/or unintentional. Un- 
intentional threats can be caused by software upgrades or defective 
equipment that inadvertently disrupt systems. Intentional threats 
can involve targeted and untargeted attacks from a variety of 
sources. These sources, as have been mentioned earlier, include for- 
eign nations, criminal groups, hackers, terrorists, and insiders. 
They vary in their capabilities and their motives, which include 
seeking monetary gain and pursuing an economic, political, or mili- 
tary advantage. Moreover they have a variety of attack techniques 
at their disposal, such as using malicious code, social engineering, 
phishing, denial of service, and more sophisticated attacks that can 
use a combination of these and other techniques. The nature of 
these attacks vastly enhances the reach and impact due to the fact 
that attackers do not need to be physically close to victims and can 
more easily remain anonymous. 

The threat posed by cyber attacks is heightened by 
vulnerabilities in Federal systems and networks. Specifically, sig- 
nificant weaknesses in security controls continue to threaten the 
confidentiality, integrity, and availability of information systems 
supporting Federal operations. 

Most major Federal agencies have significant deficiencies in their 
information security controls. For fiscal year 2011, 18 of the 24 
major Federal agencies reported inadequate information system 
controls for financial reporting purposes, and inspectors general at 
22 of these agencies identified information security as a major 
management challenge for their agency. GAO and agency IGs have 
made hundreds of recommendations to agencies to strengthen con- 
trols over their systems. 

We have also identified vulnerabilities and industrial control sys- 
tems that monitor and control sensitive processes and physical 
functions supporting the Nation’s critical infrastructures. Federal 
agencies continue to report an increasing number of cybersecurity 
incidents. Over the past 6 years, the number of incidents reported 
by Federal agencies to US-CERT has risen nearly 680 percent, to 
almost 42,900 in fiscal year 2011. These incidents include unau- 
thorized access and improper use of computing resources and the 
installation of malicious software on systems. Reported attacks and 
unintentional incidents involving Federal, private, and critical in- 
frastructure systems occur daily and demonstrate that their impact 
can be serious. 

For example, individuals could suffer privacy and financial loss 
from identity theft and on-line scams. Private companies could lose 
a competitive advantage or market value from the cyber threat of 
intellectual property or business proprietary information, and es- 
sential Government functions and critical infrastructure services 
could be impaired or disrupted. 

In summary, the cyber threats facing the Nation are evolving 
and growing with a wide array of threat actors having access to in- 
creasingly sophisticated techniques for exploiting system 
vulnerabilities. The danger posed by these threats is heightened by 



20 


the weaknesses that pervade Federal information systems and sys- 
tems supporting critical infrastructures. Ensuring the security of 
these systems is essential to limiting potentially devastating con- 
sequences that imperil public health and safety in our National 
and economic security. 

Mr. Chairman, this completes my statement. I would be happy 
to answer any questions. 

[The prepared statement of Mr. Wilshusen follows:] 

Prepahed Statement of Gregory C. Wilshusen 
April 24, 2012 

GAO HIGHLIGHTS 

Highlights of GAO-12-666T, a testimony before the Subcommittee on Oversight, 
Investigations, and Management, Committee on Homeland Security, House of Rep- 
resentatives. 

W/iy GAO Did This Study 

Nearly every aspect of American society increasingly depends upon information 
technology systems and networks. This includes increasing computer 
interconnectivity, particularly through the widespread use of the internet as a me- 
dium of communication and commerce. While providing significant benefits, this in- 
creased interconnectivity can also create vulnerabilities to cyber-based threats. Per- 
vasive and sustained cyber attacks against the United States could have a poten- 
tially devastating impact on Federal and non-Federal systems, disrupting the oper- 
ations of governments and businesses and the lives of private individuals. Accord- 
ingly, GAO has designated Federal information security as a Government- wide 
high-risk area since 1997, and in 2003 expanded it to include protecting systems 
and assets vital to the Nation (referred to as critical infrastructures). 

GAO is providing a statement that describes: (1) Cyber threats facing the Nation’s 
systems, (2) vulnerabilities present in Federal information systems and systems 
supporting critical infrastructure, and (3) reported cyber incidents and their im- 
pacts. In preparing this statement, GAO relied on previously published work in 
these areas and reviewed more recent GAO, agency, and inspectors general work, 
as well as reports on security incidents. 

What GAO Recommends 

GAO has previously made recommendations to resolve identified significant con- 
trol deficiencies. 


cybersecurity. — THREATS IMPACTING THE NATION 
What GAO Found 

The Nation faces an evolving array of cyber-based threats arising from a variety 
of sources. These threats can be intentional or unintentional. Unintentional threats 
can be caused by software upgrades or defective equipment that inadvertently dis- 
rupt systems, and intentional threats can be both targeted and untargeted attacks 
from a variety of threat sources. Sources of threats include criminal groups, hackers, 
terrorists, organization insiders, and foreign nations engaged in crime, political ac- 
tivism, or espionage and information warfare. These threat sources vary in terms 
of the capabilities of the actors, their willingness to act, and their motives, which 
can include monetary gain or political advantage, among others. Moreover, potential 
threat actors have a variety of attack techniques at their disposal, which can ad- 
versely affect computers, software, a network, an organization’s operation, an indus- 
try, or the internet itself. The nature of cyber attacks can vastly enhance their reach 
and impact due to the fact that attackers do not need to be physically close to their 
victims and can more easily remain anonymous, among other things. The magnitude 
of the threat is compounded by the ever-increasing sophistication of cyber attack 
techniques, such as attacks that may combine multiple techniques. Using these 
techniques, threat actors may target individuals, businesses, critical infrastructures, 
or Government organizations. 

The threat posed by cyber attacks is heightened by vulnerabilities in Federal sys- 
tems and systems supporting critical infrastructure. Specifically, significant weak- 
nesses in information security controls continue to threaten the confidentiality, in- 
tegrity, and availability of critical information and information systems supporting 
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the operations, assets, and personnel of Federal Government agencies. For example, 
18 of 24 major Federal agencies have reported inadequate information security con- 
trols for financial reporting for fiscal year 2011, and inspectors general at 22 of 
these agencies identified information security as a major management challenge for 
their agency. Moreover, GAO, agency, and inspector general assessments of informa- 
tion security controls during fiscal year 2011 revealed that most major agencies had 
weaknesses in most major categories of information system controls. In addition, 
GAO has identified vulnerabilities in systems that monitor and control sensitive 
processes and physical functions supporting the Nation’s critical infrastructures. 
These and similar weaknesses can be exploited by threat actors, with potentially se- 
vere effects. 

The number of cybersecurity incidents reported by Federal agencies continues to 
rise, and recent incidents illustrate that these pose serious risk. Over the past 6 
years, the number of incidents reported by Federal agencies to the Federal informa- 
tion security incident center has increased by nearly 680 percent. These incidents 
include unauthorized access to systems; improper use of computing resources; and 
the installation of malicious software, among others. Reported attacks and uninten- 
tional incidents involving Federal, private, and infrastructure systems demonstrate 
that the impact of a serious attack could be significant, including loss of personal 
or sensitive information, disruption or destruction of critical infrastructure, and 
damage to National and economic security. 

Chairman McCaul, Ranking Member Keating, and Members of the subcommittee: 
Thank you for the opportunity to testify at today’s hearing on the cyber-based 
threats facing our Nation. 

The increasing dependency upon information technology (IT) systems and 
networked operations pervades nearly every aspect of our society. In particular, in- 
creasing computer interconnectivity — most notably growth in the use of the inter- 
net — has revolutionized the way that our Government, our Nation, and much of the 
world communicate and conduct business. While bringing significant benefits, this 
dependency can also create vulnerabilities to cyber-based threats. Pervasive and 
sustained cyber attacks against the United States could have a potentially dev- 
astating impact on Federal and non-Federal systems and operations. In January 
2012, the Director of National Intelligence testified that such threats pose a critical 
National and economic security concern.^ These growing and evolving threats can 
potentially affect all segments of our society — individuals; private businesses; local. 
State, and Federal governments; and other entities. Underscoring the importance of 
this issue, we have designated Federal information security as a high-risk area 
since 1997 and in 2003 expanded this area to include protecting computerized sys- 
tems supporting our Nation’s critical infrastructure.^ 

In my testimony today, I will describe: (1) Cyber threats facing the Nation’s sys- 
tems, (2) vulnerabilities present in Federal systems and systems supporting critical 
infrastructure,^ and (3) reported cyber incidents and their impacts. In preparing this 
statement in April 2012, we relied on our previous work in these areas. (Please see 
the related GAO products in appendix I.) These products contain detailed overviews 
of the scope and methodology we used. We also reviewed more recent agency, in- 
spector general, and GAO assessments of security vulnerabilities at Federal agen- 
cies and information on security incidents from the U.S. Computer Emergency Read- 
iness Team (US-CERT), media reports, and other publicly available sources. The 
work on which this statement is based was conducted in accordance with generally 
accepted Government auditing standards. Those standards require that we plan and 
perform audits to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provided a reasonable basis for our findings and conclusions 
based on our audit objectives. 


BACKGROUND 

As computer technology has advanced, both Government and private entities have 
become increasingly dependent on computerized information systems to carry out 
operations and to process, maintain, and report essential information. Public and 


1 Janies R. Clapper, Director of National Intelligence, Unclassified Statement for the Record 
on the Worldwide Threat Assessment of the U.S. Intelligence Community for the Senate Select 
Committee on Intelligence (January 31, 2012). 

2 See, most recently, GAO, High-Risk Series: An Update, GAO— 11— 278 (Washington, DC: Feb- 
ruary, 2011). 

3 Critical infrastructures are systems and assets, whether physical or virtual, so vital to our 
Nation that their incapacity or destruction would have a debilitating impact on National secu- 
rity, economic well-being, public health or safety, or any combination of these. 
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private organizations rely on computer systems to transmit sensitive and propri- 
etary information, develop and maintain intellectual capital, conduct operations, 
process business transactions, transfer funds, and deliver services. In addition, the 
internet has grown increasingly important to American business and consumers, 
serving as a medium for hundreds of billions of dollars of commerce each year, as 
well as developing into an extended information and communications infrastructure 
supporting vital services such as power distribution, health care, law enforcement, 
and National defense. 

Consequently, the security of these systems and networks is essential to pro- 
tecting National and economic security, public health and safety, and the flow of 
commerce. Conversely, ineffective information security controls can result in signifi- 
cant risks, including: 

• loss or theft of resources, such as Federal payments and collections; 

• inappropriate access to and disclosure, modification, or destruction of sensitive 
information, such as National security information, personal teixpayer informa- 
tion, or proprietary business information; 

• disruption of critical operations supporting critical infrastructure. National de- 
fense, or emergency services; 

• undermining of agency missions due to embarrassing incidents that erode the 
public’s confidence in Government; and 

• use of computer resources for unauthorized purposes or to launch attacks on 
other computers’ systems. 

THE NATION FACES AN EVOLVING ARRAY OF CYBER-BASED THREATS 

Cyber-based threats are evolving and growing and arise from a wide array of 
sources. These threats can be unintentional or intentional. Unintentional threats 
can be caused by software upgrades or defective equipment that inadvertently dis- 
rupt systems. Intentional threats include both targeted and untargeted attacks from 
a variety of sources, including criminal groups, hackers, disgruntled employees, for- 
eign nations engaged in espionage and information warfare, and terrorists. These 
threat sources vary in terms of the capabilities of the actors, their willingness to 
act, and their motives, which can include monetary gain or political advantage, 
among others. Table 1 shows common sources of cyber threats. 

TABLE 1.— SOURCES OF CYBERSECURITY THREATS 


Threat Source 


Description 


Bot-network operators Bot-net operators use a network, or bot-net, of com- 
promised, remotely-controlled systems to coordinate at- 
tacks and to distribute phishing schemes, spam, and 
malware attacks. The services of these networks are 
sometimes made available on underground markets (e.g., 
purchasing a denial-of-service attack or services to relay 
spam or phishing attacks). 

Criminal groups Criminal groups seek to attack systems for monetary gain. 

Specifically, organized criminal groups use spam, 
phishing, and spyware/malware to commit identity theft, 
on-line fraud, and computer extortion. International cor- 
porate spies and criminal organizations also pose a 
threat to the United States through their ability to con- 
duct industrial espionage and large-scale monetary theft 
and to hire or develop hacker talent. 
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TABLE 1.— SOURCES OF CYBERSECURITY THREATS— Continued 


Threat Source 


Description 


Hackers 


Insiders 


Nations 


Phishers 


Spammers 


Spyware or malware 
authors. 


Terrorists 


Hackers break into networks for the thrill of the challenge, 
bragging rights in the hacker community, revenge, stalk- 
ing, monetary gain, and political activism, among other 
reasons. While gaining unauthorized access once re- 
quired a fair amount of skill or computer knowledge, 
hackers can now download attack scripts and protocols 
from the internet and launch them against victim sites. 
Thus, while attack tools have become more sophisticated, 
they have also become easier to use. According to the 
Central Intelligence Agency, the large majority of hack- 
ers do not have the requisite expertise to threaten dif- 
ficult targets such as critical U.S. networks. Neverthe- 
less, the world-wide population of hackers poses a rel- 
atively high threat of an isolated or brief disruption caus- 
ing serious damage. 

The disgruntled organization insider is a principal source 
of computer crime. Insiders may not need a great deal of 
knowledge about computer intrusions because their 
knowledge of a target system often allows them to gain 
unrestricted access to cause damage to the system or to 
steal system data. The insider threat includes contrac- 
tors hired by the organization, as well as careless or 
poorly-trained employees who may inadvertently intro- 
duce malware into systems. 

Nations use cyber tools as part of their information-gath- 
ering and espionage activities. In addition, several na- 
tions are aggressively working to develop information 
warfare doctrine, programs, and capabilities. Such capa- 
bilities enable a single entity to have a significant and 
serious impact by disrupting the supply, communica- 
tions, and economic infrastructures that support military 
power — impacts that could affect the daily lives of citi- 
zens across the country. In his January 2012 testimony, 
the Director of National Intelligence stated that, among 
state actors, China and Russia are of particular concern. 

Individuals or small groups execute phishing schemes in 
an attempt to steal identities or information for mone- 
tary gain. Phishers may also use spam and spyware or 
malware to accomplish their objectives. 

Individuals or organizations distribute unsolicited e-mail 
with hidden or false information in order to sell products, 
conduct phishing schemes, distribute spyware or 
malware, or attack organizations (e.g., a denial of serv- 
ice). 

Individuals or organizations with malicious intent carry 
out attacks against users by producing and distributing 
sp3rware and malware. Several destructive computer vi- 
ruses and worms have harmed files and hard drives, in- 
cluding the Melissa Macro Virus, the Explore.Zip worm, 
the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer, 
and Blaster. 

Terrorists seek to destroy, incapacitate, or exploit critical 
infrastructures in order to threaten National security, 
cause mass casualties, weaken the economy, and damage 
public morale and confidence. Terrorists may use 
phishing schemes or spyware/malware in order to gen- 
erate funds or gather sensitive information. 


Source: GAO analysis based on data from the Director of National Intelligence, Department 
of Justice, Central Intelligence Agency, and the Software Engineering Institute’s CERT® Co- 
ordination Center. 

These sources of cyber threats make use of various techniques, or exploits, that 
may adversely affect computers, software, a network, an organization’s operation, an 
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industry, or the internet itself. Table 2 provides descriptions of common types of 
cyber exploits. 

TABLE 2.— TYPES OF CYBER EXPLOITS 

Type of Exploit Description 

Cross-site scripting .... An attack that uses third-party web resources to run script 
within the victim’s web browser or scriptable application. 
This occurs when a browser visits a malicious website or 
clicks a malicious link. The most dangerous consequences 
occur when this method is used to exploit additional 
vulnerabilities that may permit an attacker to steal cook- 
ies (data exchanged between a web server and a brows- 
er), log key strokes, capture screen shots, discover and 
collect network information, and remotely access and 
control the victim’s machine. 


Denial-of-service An attack that prevents or impairs the authorized use of 

networks, systems, or applications by exhausting re- 
sources. 

Distributed denial-of- A variant of the denial-of-service attack that uses numer- 
service. ous hosts to perform the attack. 

Logic bombs A piece of programming code intentionally inserted into a 

software system that will cause a malicious function to 
occur when one or more specified conditions are met. 

Phishing A digital form of social engineering that uses authentic- 

looking, but fake, e-mails to request information from 
users or direct them to a fake website that requests in- 
formation. 

Passive wiretapping ... The monitoring or recording of data, such as passwords 
transmitted in clear text, while they are being trans- 
mitted over a communications link. This is done without 
altering or affecting the data. 

Structured Query An attack that involves the alteration of a database search 

Language (SQL) in- in a web-based application, which can be used to obtain 
jection. unauthorized access to sensitive information in a data- 

base. 

Trojan horse A computer program that appears to have a useful func- 


tion, but also has a hidden and potentially malicious 
function that evades security mechanisms by, for exam- 
ple, masquerading as a useful program that a user would 
likely execute. 

Virus A computer program that can copy itself and infect a com- 

puter without the permission or knowledge of the user. A 
virus might corrupt or delete data on a computer, use e- 
mail programs to spread itself to other computers, or 
even erase everything on a hard disk. Unlike a computer 
worm, a virus requires human involvement (usually un- 
witting) to propagate. 


War driving The method of driving through cities and neighborhoods 

with a wireless-equipped computer — sometimes with a 
powerful antenna — searching for unsecured wireless net- 
works. 

Worm A self-replicating, self-propagating, self-contained program 

that uses network mechanisms to spread itself. Unlike 
computer viruses, worms do not require human involve- 
ment to propagate. 

Zero-day exploit An exploit that takes advantage of a security vulnerability 


previously unknown to the general public. In many 
cases, the exploit code is written by the same person who 
discovered the vulnerability. By writing an exploit for 
the previously unknown vulnerability, the attacker cre- 
ates a potent threat since the compressed time frame be- 
tween public discoveries of both makes it difficult to de- 
fend against. 

Source: GAO analysis of data from the National Institute of Standards and Technology, 
United States Computer Emergency Readiness Team, and industry reports. 
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The unique nature of cyber-based attacks can vastly enhance their reach and im- 
pact. For example, cyber attackers do not need to be physically close to their vic- 
tims, technology allows attacks to easily cross State and National borders, attacks 
can be carried out at high speed and directed at a number of victims simulta- 
neously, and cyber attackers can more easily remain anon 3 Tnous. Moreover, the use 
of these and other techniques is becoming more sophisticated, with attackers using 
multiple or “blended” approaches that combine two or more techniques. Using these 
techniques, threat actors may target individuals, resulting in loss of privacy or iden- 
tity theft; businesses, resulting in the compromise of proprietary information or in- 
tellectual capital; critical infrastructures, resulting in their disruption or destruc- 
tion; or Government agencies, resulting in the loss of sensitive information and 
damage to economic and National security. 

SYSTEMS SUPPORTING FEDERAL OPERATIONS AND CRITICAL INFRASTRUCTURE ARE 
VULNERABLE TO CYBER ATTACKS 

Significant weaknesses in information security controls continue to threaten the 
confidentiality, integrity, and availability of critical information and information 
systems used to support the operations, assets, and personnel of Federal agencies. 
For example, in their performance and accountability reports and annual financial 
reports for fiscal year 2011, 18 of 24 major Federal agencies indicated that inad- 
equate information security controls were either material weaknesses or significant 
deficiencies® for financial reporting purposes. In addition, inspectors general at 22 
of the major agencies identified information security or information system control 
as a major management challenge for their agency. 

Agency, inspectors general, and GAO assessments of information security controls 
during fiscal year 2011 revealed that most major Federal agencies had weaknesses 
in most of the five major categories of information system controls: (1) Access con- 
trols, which ensure that only authorized individuals can read, alter, or delete data; 
(2) configuration management controls, which provide assurance that only author- 
ized software programs are implemented; (3) segregation of duties, which reduces 
the risk that one individual can independently perform inappropriate actions with- 
out detection; (4) continuity of operations planning, which helps avoid significant 
disruptions in computer-dependent operations; and (5) agency-wide information se- 
curity programs, which provide a framework for ensuring that risks are understood 
and that effective controls are selected and implemented. Figure 1 shows the num- 
ber of agencies that had vulnerabilities in these five information security control 
categories. 


'I The 24 major departments and agencies are the Departments of Agriculture, Commerce, De- 
fense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban 
Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Af- 
fairs; the Environmental Protection Agency, General Services Administration, National Aero- 
nautics and Space Administration, National Science Foundation, Nuclear Regulatory Commis- 
sion, Office of Personnel Management, Small Business Administration, Social Security Adminis- 
tration, and U.S. Agency for International Development. 

® A material weakness is a deficiency, or a combination of deficiencies, in internal control such 
that there is a reasonable possibility that a material misstatement of the entity’s financial state- 
ments will not be prevented, or detected and corrected on a timely basis. A significant deficiency 
is a deficiency, or a combination of deficiencies, in internal control that is less severe than a 
material weakness, yet important enough to merit attention by those charged with governance. 
A control deficiency exists when the design or operation of a control does not allow management 
or employees, in the normal course of performing their assigned functions, to prevent, or detect 
and correct, misstatements on a timely basis. 
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Figure 1 : Information Security Weaknesses at 24 Major Federai Agencies in Fiscal 
Year 2011 


Number of agencies 



Access Configuration Segregation Contingency Securtty 
control management of duties ptannirtg martagement 

Informstion security weakneee category 


Source OAO eneiyete of aoency inKMctcrs oenerri end I3A0 report* 

Over the past several years, we and agency inspectors general have made hun- 
dreds of recommendations to resolve similar previously identified significant control 
deficiencies. We have also recommended that agencies fully implement comprehen- 
sive, agency-wide information security programs, including by correcting weaknesses 
in specific areas of their programs. The effective implementation of these rec- 
ommendations will strengthen the security posture at these agencies. 

In addition, securing the control systems that monitor and control sensitive proc- 
esses and physical functions supporting many of our Nation’s critical infrastructures 
is a National priority, and we have identified vulnerabilities in these systems. For 
example, in September 2007, we reported that critical infrastructure control systems 
faced increasing risks due to cyber threats, system vulnerabilities, and the serious 
potential impact of possible attacks.® Specifically, we determined that critical infra- 
structure owners faced both technical and organizational challenges to securing con- 
trol systems, such as limited processing capabilities and developing compelling busi- 
ness cases for investing in control systems security, among others. We further iden- 
tified Federal initiatives under way to help secure these control systems, but noted 
that more needed to be done to coordinate these efforts and address shortfalls. We 
made recommendations to the Department of Homeland Security to develop a strat- 
egy for coordinating control systems security efforts and enhance information shar- 
ing with relevant stakeholders. Since this report, the Department formed the Indus- 
trial Control Systems Cyber Emergency Response Team to provide industrial control 
system stakeholders with situational awareness and analytical support to effectively 
manage risk. In addition, it has taken several actions, such as developing a catalog 
of recommended security practices for control systems, developing a cybersecurity 
evaluation tool that allows asset owners to assess their control systems and overall 
security posture, and collaborating with others to promote control standards and 
system security. We have not evaluated these activities to assess their effectiveness 
in improving the security of control systems against cyber threats. 

In May 2008, we reported that the Tennessee Valley Authority’s (TVA) corporate 
network contained security weaknesses that could lead to the disruption of control 
systems networks and devices connected to that network.'^ We made 19 rec- 
ommendations to improve the implementation of information security program ac- 
tivities for the control systems governing TVA’s critical infrastructures and 73 rec- 
ommendations to address weaknesses in information security controls. TVA con- 
curred with the recommendations and has taken steps to implement them. 

In addition to those present in Federal systems and systems supporting critical 
infrastructure, vulnerabilities in mobile computing devices used by individuals or or- 


® GAO, Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under 
Way, hut Challenges Remain, GAO— 07-1036 (Washington, DC: Sept. 10, 2007). 

(jAO, Information Security: TVA Needs to Address Weaknesses in Control Systems and Net- 
works, GAO-08-526 (Washington, DC: May 21, 2008). 
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ganizations may provide openings to cyber threats. For example, consumers and 
Federal agencies are increasing their use of mobile devices to communicate and ac- 
cess services over the internet. The use of these devices offers many benefits includ- 
ing ease of sending and checking messages and remotely accessing information on- 
line; however, it can also introduce information security risks if not properly pro- 
tected. We have on-going work to determine: (1) What common security threats and 
vulnerabilities affect generally available cellphones, smartphones, and tablets; (2) 
what security features and practices have been identified to mitigate the risks asso- 
ciated with these vulnerabilities; and (3) the extent to which Government and pri- 
vate entities are addressing security vulnerabilities of mobile devices. 

NUMBER OF CYBERSECURITY INCIDENTS REPORTED BY FEDERAL AGENCIES CONTINUES 
TO RISE, AND RECENT INCIDENTS ILLUSTRATE SERIOUS RISK 

Federal agencies have reported increasing numbers of security incidents that 
placed sensitive information at risk, with potentially serious impacts on Federal op- 
erations, assets, and people. When incidents occur, agencies are to notify the Fed- 
eral information security incident center — US-CERT. Over the past 6 years, the 
number of incidents reported by Federal agencies to US-CERT has increased from 
5,503 incidents in fiscal year 2006 to 42,887 incidents in fiscal year 2011, an in- 
crease of nearly 680 percent (see fig. 2).® 


Figure 2: Incidents Reported to US-CERT: Fiscal Years 2006-2011 
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Agencies reported the types of incidents and events based on US-CERT-defined 
categories. As indicated in figure 3, the two most prevalent types of incidents and 
events reported to US-CERT during fiscal year 2011 were unconfirmed incidents 
under investigation and malicious code. 


® According to US-CERT, the growth in the number of incidents is attributable, in part, to 
agencies improving detection and reporting of security incidents on their respective networks. 
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Figure 3: Types of Incidents Reported to US-CERT in Fiscal Year 2011 by Category 
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Reported attacks and unintentional incidents involving Federal, private, and crit- 
ical infrastructure systems demonstrate that the impact of a serious attack could 
be significant. These agencies and organizations have experienced a wide range of 
incidents involving data loss or theft, computer intrusions, and privacy breaches, 
underscoring the need for improved security practices. The following examples from 
news media and other public sources illustrate that a broad array of information 
and assets remain at risk. 

• In April 2012, hackers breached a server at the Utah Department of Health to 
access thousands of Medicaid records. Included in the breach were Medicaid re- 
cipients and clients of the Children’s Health Insurance Plan. About 280,000 peo- 
ple had their Social Security numbers exposed. In addition, another 350,000 
people listed in the eligibility inquiries may have had other sensitive data sto- 
len, including names, birth dates, and addresses. 

• In March 2012, it was reported that a security breach at Global Payments, a 
firm that processed payments for Visa and Mastercard, could compromise the 
credit- and debit-card information of millions of Americans. Subsequent to the 
reported breach, the company’s stock fell more than 9 percent before trading in 
its stock was halted. Visa also removed the company from its list of approved 
processors. 

• In February 2012, the inspector general at the National Aeronautics and Space 
Administration testified that an unencrypted notebook computer had been sto- 
len from the agency in March 2011. The theft resulted in the loss of the algo- 
rithms used to command and control the International Space Station. 

• In March 2012, a news wire service reported that the senior commander of the 
North Atlantic Treaty Organization (NATO) had been the target of repeated 
cyber attacks using the social networking website Facebook that were believed 
to have originated in China. According to the article, hackers repeatedly tried 
to dupe those close to the commander by setting up fake Facebook accounts in 
his name in the hope that his acquaintances would make contact and answer 
private messages, potentially divulging sensitive information about the com- 
mander or themselves. 

• In March 2012, it was reported that Blue Cross Blue Shield of Tennessee paid 
out a settlement of $1.5 million to the U.S. Department of Health and Human 
Services arising from potential violations stemming from the theft of 57 
unencrypted computer hard drives that contained protected health information 
of over 1 million individuals. 

• In January 2012, the Department of Commerce discovered that the computer 
network of the Department’s Economic Development Administration (EDA) was 
hit with a virus, forcing EDA to disable e-mail services and internet access 
pending investigation into the cause and scope of the problem, which persisted 
for over 12 weeks. 
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• In June 2011, a major bank reported that hackers had broken into its systems 
and gained access to the personal information of hundreds of thousands of cus- 
tomers. Through the hank’s on-line hanking system, the attackers were ahle to 
view certain private customer information. 

• Citi reissued over 200,000 cards after a May 2011 website breach. About 
360,000 of its approximately 23.5 million North American card accounts were 
affected, resulting in the potential for misuse of cardholder personal informa- 
tion. 

• In April 2011, Sony disclosed that it suffered a massive breach in its video game 
on-line network that led to the theft of personal information, including the 
names, addresses, and possibly credit card data belonging to 77 million user ac- 
counts. 

• In February 2011, media reports stated that computer hackers had broken into 
and stolen proprietary information worth millions of dollars from the networks 
of six U.S. and European energy companies. 

• In July 2010, a sophisticated computer attack, known as Stuxnet, was discov- 
ered. It targeted control systems used to operate industrial processes in the en- 
ergy, nuclear, and other critical sectors, reportedly causing physical damage. It 
is designed to exploit a combination of vulnerabilities to gain access to its target 
and modify code to change the process. 

• A retailer reported in May 2011 that it had suffered a breach of its customers’ 
card data. The company discovered tampering with the personal identification 
number (PIN) pads at its checkout lanes in stores across 20 States. 

• In August 2006, two circulation pumps at Unit 3 of the Browns Ferry, Alabama, 
nuclear power plant failed, forcing the unit to be shut down manually. The fail- 
ure of the pumps was traced to excessive traffic on the control system network, 
possibly caused by the failure of another control system device. 

These incidents illustrate the serious impact that cyber threats can have on Fed- 
eral agency operations, the operations of critical infrastructures, and the security of 
sensitive personal and financial information. 

In summary, the cyber threats facing the Nation are evolving and growing, with 
a wide array of potential threat actors having access to increasingly sophisticated 
techniques for exploiting system vulnerabilities. The danger posed by these threats 
is heightened by the weaknesses that continue to exist in Federal information sys- 
tems and systems supporting critical infrastructures. Ensuring the security of these 
systems is critical to avoiding potentially devastating impacts, including loss, disclo- 
sure, or modification of personal or sensitive information; disruption or destruction 
of critical infrastructure; and damage to our National and economic security. 

Chairman McCaul, Ranking Member Keating, and Members of the subcommittee, 
this concludes my statement. I would be happy to answer any questions you have 
at this time. 

Mr. McCaul. Thank you for your testimony. 

The Chairman now recognizes Mr. McClure. 

STATEMENT OF STUART MC CLURE, CHIEF TECHNOLOGY 
OFFICER, MCAFEE 

Mr. McClure. Thank you Chairman, thank you Members. 
So ... I am the global CTO for McAfee. Ultimately I am respon- 
sible for all the technology that comes out of the company and all 
the protective measures that we put in place. But I also used to 
run the labs within McAfee. The labs are responsible for all 
malware that comes in and a quick turnaround to protect our cus- 
tomers. 

Now, when I was running the labs, it was probably about 2005- 
2006, we had upwards of about maybe 1,000 samples every single 
day that came into our networks that we had to go and respond 
to and build signatures and countermeasures for. Today we receive 
80,000 that must be responded to. These are unique, these are ma- 
licious, and they are something that we have to find protective 
countermeasures to. 

This is a huge exponential problem that we have. If I had a 
blank check to write to hire as many people as I wanted, to put 
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as many controls in place as I wanted, I could not do it to respond 
to all of these threats. It is a huge, huge problem. 

Another part of my background, I also wrote a very successful 
computer security book called “Hacking Exposed.” The whole point 
behind the book was to expose how the hacker thinks, how the 
hacker works and achieves its primary goals and targets, and 
leaves very stealthily. That book has been very successful in help- 
ing administrators understand, and ITs as well, to understand how 
they work, because I do, really, believe passionately that if you can- 
not understand how they work, you will never be able to prevent 
them effectively. We are starting to see that today. 

Now, one thing I wanted to share with you is so many years ago 
we used to talk mostly amongst us — I have been doing this a long 
time, about 20-plus years — and we would say, well, at least this 
cyber thing has not gotten to the physical world, it can’t really kill 
anybody. That was the idea. So we got to put our heads down on 
the pillows and actually feel pretty good about that. 

But I can tell you right now, definitively, I can personally kill 
somebody with my computer. I have already demonstrated this po- 
tential many times, and it is something that I want to make sure 
I get across, that the link between cyber and physical is here. 

Now, I am — the demo that I have done in the past has been 
around, a particular insulin pump, okay, but it proves the point, 
which is that given no connection to this particular pump, I can 
overdose, okay, the insulin that is in there. This is just indicative 
of the bigger and broader problem. 

It became really personal for me when my friend, who is a dia- 
betic and has the exact pump, I asked him, hey, can I borrow your 
pump real quick, I am just going to test it out, you know, trust me, 
there is no problem here. He would not do it, he was freaked out. 
He fiat refused, and to be honest I think it compromised a friend- 
ship in a way. But it drove home the point for me, which is this 
stuff, the technology that helps people either in biomed or other- 
wise protects and keeps people alive. So it is something to think 
about as we go forward. 

Now, we always talk about the threats basically in three areas: 
Motivation, opportunity, and ability. Of course you have heard a lot 
about the motivation, financial, ego-driven, hacktivism, purpose, 
you name it, we see it all the time. Opportunity. The big problem 
in this formula is the opportunity. There are so many opportuni- 
ties. The number of devices are just exploding out there, and they 
are all interconnected 24/7, everything from your mobile devices to 
tablets to insulin pumps to critical infrastructure for that matter. 
Also the vulnerabilities that are present on them are growing all 
the time, and that is the core of the problem, these vulnerabilities 
on the assets. The ability is only getting better. 

So every day, more and more people get smarter and smarter, 
the tool kits get easier and easier to download and buy on-line. It 
is those variables in that formula are the big problem, and they are 
not going anywhere but up. So what we have to do is think about 
it, I think, in a better way. So information sharing is absolutely 
critical and key. I have been talking about that for a long time. We 
have to be able to share that valuable data. We can clear the pri- 
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vacy issues. I really — I believe that it doesn’t take much to allow 
the critical data to be shared effectively in a timely manner. 

But the other part that we have to think about is security by de- 
sign. This is the big problem. We develop software, we develop 
hardware, and quite frankly no one — very, very few think about se- 
curity in that design process and in the planning. It is that process 
that we have to try to instill in the coming years to truly affect the 
core problem; otherwise, all we are doing is affecting the symptoms. 
It would be like taking a decongestant or a pain reliever when you 
have a cold, rather than eating healthy and exercising and building 
your immunity. 

So with that, I want to say thank you very much for your time. 

[The prepared statement of Mr. McClure follows:] 

Prepared Statement of Stuart McClure 
April 24, 2012 

Good afternoon Chairman McCaul, Ranking Member Keating, and other Members 
of the subcommittee. I am Stuart McClure, Executive Vice President and Worldwide 
Chief Technology Officer for McAfee. Thank you for requesting my views on this im- 
portant topic. 

You asked me to focus on the cyber threat, so my testimony will focus on threats 
to consumers, to intellectual property, and to critical infrastructure. During my dis- 
cussion I will attempt to highlight the following points: 

• The world’s continual drive to innovate has driven unprecedented connectivity 
which has given rise to exploding numbers of cyber threats and attacks. 

• The only way to definitively solve this problem — and it is solvable — is through 
“security by design.” 

• There are policy initiatives, such as enhanced information sharing and other 
measures, that would dramatically help respond to these threats. 

First I would like to provide some background on my professional experience and 
on McAfee. 

As Global CTO, I work closely with senior leaders at McAfee to ensure strong col- 
laboration on customer requirements, knowledge sharing, strategy, development ef- 
forts, advanced threat research, and technology patents. Prior to joining McAfee, I 
held positions as executive director of security services for Kaiser Permanente, a $34 
billion health care organization; served as senior vice president of global threats and 
research at McAfee Labs, where I led an elite global security threats team; and was 
founder, president, and chief technology officer of Foundstone, which was acquired 
by McAfee in 2004. 

I have dedicated my entire professional life to the practice of cybersecurity. My 
first book, Hacking Exposed, was published in 1999 and has been translated into 
more than 30 languages and has become the definitive best-selling computer secu- 
rity book teaching the good guys how the bad guys think and attack. I have dem- 
onstrated literally hundreds of hacker techniques in front of live audiences for the 
better part of 20 years, as I believe a picture is worth a 1,000 words and a demo 
is worth millions. 


MCAFEE’S role IN CYBERSECURITY 

McAfee, Inc. protects businesses, consumers, and the Government/public sector 
from cyber-attacks, viruses, and a wide range of on-line security threats. 
Headquartered in Santa Clara, California, and Plano, Texas, McAfee is the world’s 
largest dedicated security technology company and is a proven force in combating 
the world’s toughest security challenges. McAfee is a wholly-owned subsidiary of 
Intel Corporation. 

McAfee delivers proactive and proven solutions, services, and global threat intel- 
ligence that help secure systems and networks around the world, allowing users to 
safely connect to the internet and browse and shop the web more securely. Fueled 
by an award-winning research team, McAfee creates innovative products that em- 
power home users, businesses, the public sector, and service providers by enabling 
them to prove compliance with regulations, protect data, prevent disruptions, iden- 
tify vulnerabilities, and continuously monitor and improve their security. 

To help organizations take full advantage of their security infrastructure, McAfee 
launched the Security Innovation Alliance, which brings together more than 150 
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partners, large and small, to allow organizations access into our extensible manage- 
ment platform and thereby detect and prevent attacks in real time. 

THE DOUBLE EDGE OF CONNECTIVITY 

Today, we are always on and always connected. The world of instantaneous com- 
munication and constant connectivity we have come to take for granted is limited 
only by our powers of creativity and innovation — and those seem to have no end. 
For years policymakers have heard of the numerous benefits that this inter- 
connected, always-on world can and does bring to the areas of education, health and 
medicine, energy, and transportation, as well as to individual well-being and the 
American economy at large. Indeed, the Federal Communications Commission has 
now redefined “universal service” from a program designed to create universal tele- 
phone service, to a program that will create Nation-wide high-speed broadband ac- 
cess. There is no turning back from this path, nor should we want to. 

The reality, however, is that this same world of connectivity also creates risk. 
Risk is dictated by three factors: Opportunity, motivation, and ability. If you are 
able to affect any one or more of these factors, you reduce the overall risk. In today’s 
environment, all three factors — opportunity, motivation, and ability — are growing 
inordinately. 

Let me start with motivation. By now you have heard much about a variety of 
criminal actors who are highly motivated — either by money. National pride, religion, 
or some other compelling factor. These actors have huge amounts to gain with hard- 
ly anything to lose; our laws and penalties, in addition to our inability to enforce 
them, make cyher crime extremely attractive and profitable. There are few real de- 
terrents to cyber crime and there is much to gain. 

Add to this the fact that the level of ability of most cyber criminals has increased 
dramatically from the days of the pimply teenager working out of his garage. Now 
there are serious professionals and even companies for hire. Simply put, attacks are 
relatively easy to perform, leveraging thousands and even millions of computers to 
attack a single target, creating virtual armies that are far less expensive and more 
dynamic than physical armies. The tools and techniques are well-documented, easy 
to find, and the range of a malicious individual armed with a laptop and an internet 
connection surpasses that of any ICBM. 

Who has the opportunity? Certainly insiders — those with knowledge of the organi- 
zation and its most sensitive data and systems — have optimum opportunity. But in 
the highly interconnected world, a cyber attacker certainly does not have to BE in- 
side an organization to GET inside it. Indeed, almost any device that we use regu- 
larly — mobile phone, tablet, laptop, thumb drive, automobile, and even a medical de- 
vice — is perfectly capable of letting an attacker inside. Anything that you can con- 
nect to, or that can be connected to — through USB, wired network connection, WiFi 
network connection, Bluetooth, RFID — is enough to let a cyber criminal in. 

Yet the other great reality about a world that is becoming increasingly inter- 
connected is the degree to which connected devices are helping individuals address 
significant challenges, and many of these challenges are highly personal. For exam- 
ple, diabetics can now use insulin pumps that are connected wirelessly; homeowners 
can set their burglar alarm or control the temperature of their homes remotely; pa- 
tients with heart conditions can stay home while doctors monitor their conditions 
from their offices; students in rural areas can take classes at major universities; mo- 
torists can have their car’s door locks unlocked from remote or he routed to their 
exact destination and soon might be able to drive on smart highways. 

This list is by no means exhaustive. Innovative companies have every incentive 
to offer more and more goods and services addressing the most fundamental needs 
of consumers while at the same time make them more interconnected. This is a 
powerful market trend that will continue in the future. But unless the devices are 
locked down and secured by design, the cyher criminals will he given even more op- 
portunities to profit, plunder, and pillage. 

THE RISK TO INDIVIDUALS AND CONSUMERS 

Most consumers expect that when they go on-line, they will be safe, their informa- 
tion will be private, and their kids will be protected as long as they do not go on 
websites from which their parents have barred them. But this is an illusion. For 
every control, there is a bypass. 

The threats that individuals and consumers face run the gamut from identity 
theft to loss of financial or personal information, to infection of their systems and 
destruction of hardware, software, and data. The advent of new mobile technology, 
particularly smartphones and tablets, has opened up new attack vectors for hackers. 
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According to a recent House Science Committee witness from Idaho National 
Labs, Dr. Rangam Subramanian, every key economic sector will soon be dependent 
on wireless: Energy and power, public safety, finance, health care, transportation, 
entertainment, and more. Yet for all the convenience and innovation that wireless 
brings, it also introduces even more opportunities for hackers. 

Many Americans now engage in personal banking, shopping, and other services 
by accessing Wi-Fi hot spots on their smartphones, which can lead them directly 
into traps set by cyber criminals. And the wireless revolution is only in its infancy. 
Cisco’s U.S. mobile data forecast projects that mobile data traffic will increase 16 
times from 2011 to 2016 for a compound annual growth rate of 74 percent. By 2016, 
mobile data traffic will be equivalent to four times the volume of the entire U.S. 
internet in 2005. The United States is a leader in the area of wireless innovation, 
and it is to our National advantage to have that leadership continue. The key is 
to ensure that that innovation incorporates security by design. 

Following are just some of the most recent threats to consumers: 

Social networking sites. — The social networking phenomenon has overtaken por- 
nography as the No. 1 internet activity and has brought traditionally non-computer 
savvy users onto the internet in droves. As an example, if Facebook were a country, 
it would be the 3rd largest in the world with over 860 million users. And cyber 
criminals know this. The attack surface area is large, but they might, for example, 
send what appears to be a harmless video but when clicked on it downloads a mali- 
cious virus. 

Mobile devices. — While PCs remain the bigger targets, smartphones — which of 
course are miniature, mobile computers — are quickly capturing cyber criminals’ at- 
tention, with instances of mobile malware increasing by 600% from 2010 to 2011. 
McAfee Labs again saw the Android platform firmly ensconced as the No. 1 target 
for writers of mobile malware. However, it is a misconception that Mac platforms 
are invulnerable to attack. As Apple recently learned with the Flashback Trojan, 
even their MacBooks can be victims, with over 600,000 infections to date. The hack- 
ers go where the numbers are, and the more ubiquitous iPhones and iPads become, 
the more they will be targeted by hackers. 

Mobile apps. — In 2011, apps that appeared legitimate were bundled with malware 
and distributed over Google’s Android Marketplace. Google was able to remotely de- 
tect and delete more than 50 infected applications from thousands of Android de- 
vices. Every day, consumers download apps from unknown apps stores without a 
second thought. We advise consumers to download apps only from well-known, rep- 
utable app stores, check reviews and apps ratings before downloading them, read 
the fine print to check what permissions the app is accessing, and install a com- 
prehensive mobile security product, including those from McAfee or other vendors. 

Phishing scams and IRS scams. — During the tax season, in particular, hackers 
are known to conduct scams that involved phishing — a way of attempting to acquire 
information such as usernames, passwords, and credit card details by masquerading 
as a trustworthy entity. Some criminal actors masquerade as the IRS or an entity 
closely related to the IRS. We advise consumers never to respond to or click on links 
within unsolicited emails requesting that they enter personal data or visit a website 
to update account information — especially from the IRS, as they do not send out 
emails to consumers. 

Perhaps one of the most unsettling examples of individuals being exposed to cyber 
attacks on a personal level entails the use of personal medical devices. Recently a 
McAfee researcher identified a security flaw in a wirelessly-enabled insulin pump, 
which allows the device to be controlled by a hacker and subsequently administer 
a potentially lethal dose of insulin to diabetes patients. While there are several se- 
curity holes in the device, the principal vulnerability comes from the wireless con- 
nection between the glucose monitoring system and the pump itself, which is vital 
to determining how much insulin is dispensed. 

Since that story was publicized, I’ve heard from several friends who either used 
the pump in question themselves or whose child did. When they asked me if their 
pumps — and thus their lives — were vulnerable to cyber attack, I had to answer 
“yes.” Again, medical device manufacturers are making great strides in reducing in- 
convenience for individuals, yet at what price? Unless devices are built from the 
ground up with security by design, the price could be high. 

Another example is automobiles. Many security researchers have noticed an 
alarming number of vectors of attack inside today’s increasingly computerized cars. 
They have discovered that cars are as insecure as PCs were some 20 years ago, 
fraught with ways into the system and vulnerabilities to attack. In fact, researchers 
from the University of Washington and the University of California, San Diego, 
have released findings over the past 2 years detailing how they could not only open 
a locked car without the keys but they could remotely penetrate a car’s IVI (in-vehi- 
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cle infotainment) system to then take over control of much of the car’s features, in- 
cluding disabling airbag and brakes. Both these examples show that in our highly 
interconnected world, you don’t have to be sitting at a computer or holding a 
smartphone to be vulnerable to cyber attack. 

THE RISK TO INTELLECTUAL PROPERTY 

One of the most insidious types of threats to individuals, corporations, organiza- 
tions, Government agencies, and the economy as a whole is the theft of intellectual 
property. Today, malware developers combine web, host, and network vulnerabilities 
with spam, rootkits (invisible malware that hides within authorized software in a 
computer’s operating system), spyware, worms (which target computers rather than 
software programs but which can clog communications bandwidth and overload com- 
puters or networks,) and other means of attack. Malware also can be distributed in- 
directly by networks of computers that have been corrupted by a criminal — known 
as a “botnet,” or a collection of compromised computers connected to the internet. 

Then there is the type of attack known as an Advanced Persistent Threat (APT), 
which has received much attention recently. The APT is essentially an insidious, 
persistent intruder meant to fly below the radar screen and quietly explore and 
steal the contents of the target network. 

In the past 3 years, McAfee has uncovered numerous APTs affecting tens of thou- 
sands of organizations worldwide. These attacks are significant because they were 
managed by well-coordinated, organized teams that succeeded in extracting billions 
of dollars of intellectual property from leading global companies in the information 
technology, defense, and energy sectors — strategic industries vital to any country’s 
long-term economic success and National security. These low-profile attacks are 
often more dangerous than high-profile incursions because they are a type of cyber 
espionage, providing silent, on-going access to protected institutional information. 
And these APTs are not limited in scope; they can affect any company, government 
body, or nation, regardless of sector, size, or geography. 

However, as the United States is the largest producer of intellectual property in 
the world, we are an especially rich target. The onslaught of increasingly sophisti- 
cated targeted attacks is reflected in growing information breach statistics. A 2010 
survey found that 60 percent of organizations report a “chronic and recurring loss” 
of sensitive information. The average cost of a data breach reached $7.2 million in 
2010 and cost companies $214 per compromised data record, according to the 
Ponemon Institute. And that’s just the cost to respond internally to a data breach. 
If a company’s intellectual property is stolen, it could decimate an organization. 

We do not have statistics for all of the IP breached, as organizations can be reluc- 
tant to report IP theft, fearing that it will cause customers and markets to lose con- 
fidence. Again, by building products and systems that are secure from the ground 
up, these fears, costs, and substantial drain of American competitive innovation 
could be greatly reduced. 

THE RISK TO CRITICAL SYSTEMS AND INFRASTRUCTURE 

As policymakers have begun to recognize, a cyber attack — or series of cyber at- 
tacks — to the Nation’s critical infrastructure could be tremendously devastating to 
our way of life. Let’s take the electrical grid, by far the most vulnerable of our crit- 
ical infrastructures. 

Almost every aspect of American life depends on electricity — from producing goods 
to saving lives, from defending the country to conducting electronic banking and 
commerce, from simple communications to feeding our families safely. Yet the sys- 
tems used to manage our electricity, the supervisory control and data acquisition, 
or SCADA systems, are antiquated, running on commonly available operating sys- 
tems, and with their design having changed little since their introduction decades 
ago. They were never designed or built securely, and they certainly were not meant 
to be connected to the internet. And even today, we find that many electric compa- 
nies still use vendor-supplied default passwords because they allow easy access in 
times of crisis or for maintenance and repair. 

A report by CSIS and McAfee interviewing executives in the energy and power 
sector found that a large majority of them had reported cyber attacks, and about 
55% of these attacks targeted SCADA. In 2009, nearly half of the respondents said 
that they had never faced large-scale denial of service attacks or network infiltra- 
tions. By 2010, those numbers had changed dramatically; 80 percent had faced a 
large-scale denial-of-service attack, and 85 percent had experienced network infiltra- 
tions. Meanwhile, a quarter of the interviewees reported daily or weekly denial-of- 
service attacks on a large scale. A similar number reported that they had been the 
victim of extortion through network attacks or the threat of network attacks. Nearly 
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two-thirds reported they frequently (at least monthly) found malware designed for 
sabotage on their system. 

Attacks on systems like SCADA can give hackers direct control of operational sys- 
tems, creating the potential for large-scale power outages or man-made environ- 
mental disasters. Yet in the United States, many companies have not adopted secu- 
rity measures for their SCADA systems, and many report their SCADA systems 
connected to IP networks or the internet, making these systems even more suscep- 
tible to attacks. 

What happens when there are multiple, simultaneous failures or system manipu- 
lations in the electric grid? Industry experts acknowledge that the grid is not cur- 
rently equipped to handle this situation. While the experts say that the odds of a 
natural event or a physical attack creating this situation have been quite low, they 
are not prepared to say that for cyber — which all agree is the threat most likely to 
give rise to this kind of power failure. 

What could happen? Imagine that cyber criminals have been gaining access to 
various parts of the power grid for years. They have infiltrated enough systems to 
make it possible to knock out power for the entire Northeast grid. They launch an 
attack in winter and power goes down throughout the area. Not only do people lose 
heat, light, refrigeration, cooking facilities, communication, and entertainment, but 
the systems that pump our water from reservoirs — and those that purify the water 
in the reservoirs — are affected. No potable water, perhaps no water at all, and no 
capacities for managing sewage. 

Even if stores have back-up generators, they cannot order the inventory because 
their systems are electronic. Banking comes to a halt because funds can no longer 
move electronically. Gas stations can no longer sell gasoline. Commerce effectively 
ends because order fulfillment systems are down, payment systems are down, and 
communication is down. Those consumers with phone service through the internet — 
including those triple play plans offered by major providers — are out of luck because 
their service is no longer over the traditional land-line telephone network. Hospitals 
and medical centers, which might also have independent generators, can care for 
only the most critical patients, as they cannot check on patients’ insurance status 
or connect with the outside world electronically. While many of these sectors have 
emergency back-up systems to enable them to maintain operations during a power 
failure, those back-up systems are meant to be temporary — not long-term. 

I personally experienced something like this as a child living on the island of 
Guam. A devastating and powerful typhoon knocked out power for many weeks and 
we had to run back and forth between the slowly moving water truck driving down 
the street and the house’s bathtub where we emptied the bucket and ran back. The 
memory of that time is vivid, but it was not nearly as bad as it might have been 
had the situation gone on longer. 

SECURITY BY DESIGN 

Adding security features into systems after they have been developed is a losing 
battle. Remember the sunroof of the 1980’s? The only way to get one was to get it 
installed aftermarket. Manufacturers did not offer one as an option on new cars. 
And many of them leaked badly. Today, every manufacturer offers a sunroof as an 
option to your new car — and they never leak! 

Cybersecurity has to be the same: It must be baked into the equipment, systems, 
and networks at the very start of the design process. Security must be intrinsic to 
an organization’s thought processes, its business processes, and its design, develop- 
ment, and manufacturing processes. It must be embedded in a product or network 
element so that it becomes an integral part of the product’s or element’s functioning. 
This approach is not only more effective; it is less cumbersome and less expensive 
than trying to lock down systems that are inherently insecure. 

POLICY RECOMMENDATIONS 

Given the level of the cybersecurity threat, the Government has a legitimate in- 
terest in ensuring that our country is protected from cyber attacks. The first order 
of business must be for the Government to fully protect its own institutions, and 
we support rapid passage of FISMA reform legislation. The Government also has 
an obligation to work with our companies and citizens to improve the level of secu- 
rity at work and in the home. I believe that positive incentives are superior to regu- 
lation in achieving the desired National outcome: A cyber-secure Nation. Using posi- 
tive incentives rather than negative ones, such as Government mandates, is the 
most effective way to drive higher levels of trust and actual cooperation between the 
private sector and Government — all vital to producing real success. Having the pri- 
vate sector fully commit — customers and vendors of IT products and services — to the 
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principles and implementation of security by design will do much to help make our 
country more secure in the future. 

There are a variety of legislative approaches focused on positive incentives in play 
right now that I believe can make a major contribution to addressing our country’s 
cybersecurity challenges. Many of the recommendations of Representative Thorn- 
berry’s (R-Texas) Cybersecurity Task Force are a step in the right direction in that 
they address a wide range of incentives such as information sharing, insurance re- 
forms, and tax credits. And over the past few years there has been good bipartisan 
collaboration on a number of cyber initiatives, including additional investment in cy- 
bersecurity research and FISMA reform, to name just a few. 

In this same spirit, better information sharing would be particularly effective in 
encouraging the kind of puhlic-private partnerships we need to move forward in cy- 
bersecurity. There have been several proposed Government solutions, and many of 
them share McAfee’s goal that Government facilitate collaboration and encourage 
trusted working relationships to the benefit of all parties in the internet ecosystem. 

Better enabling information sharing is critical for addressing the cyber threat. 
This would help organizations execute with the alacrity shown by our cyber adver- 
saries, as previously described. There are also other positive incentives that can 
help address some of our Nation’s fundamental challenges — challenges in hiring the 
right type of cybersecurity experts, regulatory disincentives, economic disincentives, 
and the immaturity of the insurance market, which has limited the growth of the 
kind of insurance programs needed for companies to insure against catastrophic 
losses: 

• Litigation ! Legal Reform. — Imposing limitations on liability for damages as well 
as for non-economic losses would remove a serious obstacle to information secu- 
rity investments — i.e., the risk of losses for which responsibility is assigned not- 
withstanding a company’s good faith investments in adequate information secu- 
rity. Eliminating that risk, at least for companies that meet high, “best prac- 
tices” security standards, would encourage more security on a company-by-com- 
pany basis. This approach can help create positive incentives for disclosure 
through liahility relief for responsible organizations to improve the Nation’s 
overall cyhersecurity posture. 

• Competitions, Scholarships, and Research and Development Funding. — Cyberse- 
curity competitions and challenges, as well as scholarship and creativity to pro- 
grams, can help identify and recruit talented individuals to the field to augment 
the future cybersecurity workforce. Similarly, research and development grants 
foster innovation and advance basic and applied solutions. Recognizing this, 
several legislative proposals under consideration contain provisions designed to 
help industry meet the cybersecurity challenges of tomorrow and train the next 
generation of experts. 

• Tax Incentives. — ^Accelerated depreciation or refundable teix credits are being 
considered to encourage critical infrastructure industries to make additional in- 
vestments in cybersecurity technologies, solutions, and human capital. The 
same approaches could be effectively applied to small businesses. Despite the 
current environment where balancing the budget is a critical priority, we cannot 
afford to be shortsighted. Cybersecurity-related teix incentives would prove to be 
a legitimate, long-term investment in security that would protect our National 
security and economic interests. 

• Insurance Reforms. — Many companies defer investments in improved security 
out of a concern that, even with improved security, they are not protected from 
liability for losses that occur. Similarly, insurance carriers are reluctant to cre- 
ate a vigorous marketplace for cybersecurity insurance, thereby hindering in- 
vestment. Government should give consideration to implementing reinsurance 
programs to help underwrite the development of cybersecurity insurance pro- 
grams. Over time, these reinsurance programs could be phased out as insurance 
markets gained experience with cybersecurity coverage. 

CONCLUSION 

As Global CTO for the world’s largest dedicated security company, I carry a heavy 
burden, but one to which I have dedicated my entire career: To protect the world 
from cybersecurity attacks. But I stay focused on this task because I believe I can 
make a difference to provide a safer world for our children. 

Thank you for giving me the opportunity to take part in this hearing on behalf 
of McAfee. The cybersecurity challenge faced by our country is a serious matter that 
requires an evolution in the way in which hoth the public and private sectors col- 
laborate. Each sector has its own set of core capabilities. Only the Government can 
implement the complex set of organizational and policy responses necessary to 
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counter the growing cybersecurity threat. Leading information technology companies 
and their customers are uniquely positioned to act as early warning systems that 
can identify and help address cybersecurity attacks. Information technology compa- 
nies focused on cybersecurity, in particular, have the resources and the economic in- 
centives to continue to invent and develop the technologies and solutions needed to 
stay ahead of sophisticated cyber attackers. Aligning Government incentives with a 
National objective of achieving security by design in all of our systems is consistent 
with the best American tradition of collaboration. The public and private sectors 
have made important strides to address the cybersecurity challenge. As we work to- 
gether to further evolve our collaboration models, we can succeed in protecting our 
homeland from the threat of cyber attacks. 

Mr. McCaul. Thank you Mr. McClure. I agree with you that I 
think we have made the jump from virtual to physical as well. 

With that, the Chairman recognizes Dr. Flynn for his testimony. 

STATEMENT OF STEPHEN E. FLYNN, FOUNDING CO-DIREC- 

TOR, GEORGE J. KOSTAS RESEARCH INSTITUTE FOR HOME- 
LAND SECURITY, NORTHEASTERN UNIVERSITY 

Mr. Flynn. Thank you very much Mr. Chairman, Ranking Mem- 
ber Keating, Ranking Member Thompson. It is an honor to be be- 
fore you all, distinguished Members of the subcommittee. I would 
like to build on the conversation we have had already today, the 
testimony we have already had today, and essentially assign an ex- 
planation point I think to the risk. 

As I see it, this subcommittee certainly well understands the se- 
rious nature of the challenge, but we really have as a country not 
stepped up to this risk. 

I want to share with you a scenario that was actually developed 
by the National Institute of Standards and Technology, the NIST, 
in an attack on the U.S. electric grid to kind of drive home the 
stakes involved with this. According to the NIST study, they pro- 
vide the following scenario. Using war dialers, simple computer 
programs that dial consecutive phone numbers looking for modems, 
an adversary finds modems connected to programmable breakers of 
the electric power transmission control systems, they crack the 
passwords that control access to the breakers and change the con- 
trol settings to cause local power outages and damage equipment. 
The adversary lowers the settings from 500 amps to 200 amps on 
some circuit breakers, taking those lines out of service, and then 
diverting power to neighboring lines. At the same time the adver- 
sary raises the settings on the neighboring lines to 900 amps which 
prevents the circuit breakers from tripping, plus overloading the 
lines. This causes significant damage to transformers and other 
critical equipment, resulting in lengthy repair outages. 

This is not a particularly sophisticated attack and it can be car- 
ried out remotely by anybody with anonymity. The harm it could 
cause will be far beyond the disruption of service and the loss of 
data. When you can successfully disable a portion of the power 
grid, you can generate cascading consequences. When transformers 
fail, so too will water distribution, waste management, transpor- 
tation, communications, and many emergency Government serv- 
ices. People who take medicines that require refrigeration will 
quickly face the prospect of going without those drugs. 

Given the average of a 12-month lead that is required to replace 
a damaged transformer today with a new one if we had a mass 
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damage of that scale in a local regional level, the economic and so- 
cietal disruption would be enormous. 

There are lots of potential target or opportunity, as Mr. McClure 
laid out. We have a power grid that operates with 5,300 power 
plants that, combined, produce 1,075 gigawatts that is moved from 
power plants to 140 homes and businesses via 211 miles of high- 
voltage transmission lines and thousands of substations. 

Again, the cyber world and the physical world is here. The things 
that we are talking about messing with are things that we rely on 
and largely take for granted. The issue is primarily that these at- 
tacks can go after the industrial control systems that are central 
to their operation. As these vulnerable industrial control systems 
are used remotely to manage everything from waste, water, oil 
pipelines, refineries, and power generation plants, transportation 
systems, mass transit to maritime port operations, an attack on 
these systems can produce not only a catastrophic disruption, but 
destruction, loss of life. Here we really need to wake up and recog- 
nize that we have a problem that hackers cannot only break into 
systems but take control of them. Doing things like turning off 
alarms or sending bad data to falsely trigger alarms can essentially 
cause the kind of mischief we just heard Mr. McClure can do with 
an insulin device. 

So, given this urgency, flashing back to my own career in the 
Coast Guard, the model should be “all hands on deck.” But I would 
argue that to date, American universities and academic institutions 
have been largely left on the sidelines. We talk about private-pub- 
lic, but we fail to engage the various institutions that are involved 
in developing so many of these technologies and developing the cul- 
ture which we have to operate in, for better or for worse. Univer- 
sities, I would argue, can play a key role in helping us to move for- 
ward in the face of this risk. They can offer expertise to play an 
honest broker role between the private and public sectors. Univer- 
sities can bridge that expertise and trust gap by its convening of 
power and offering technical advice where it can be helpful. They 
also can — another point Mr. McClure just made, the importance of 
baking in cybersecurity. Universities have been and will continue 
to be the incubators for information technology and applications. 
The time for thinking about incorporating safeguards is when they 
are under development, not after they are being widely used by 
consumers and industry. When security measures are an after- 
thought, they often end up being costly and suboptimal. 

Developing and maintaining standards that can mitigate cyber 
threats, vulnerabilities, and consequences and help to sustain or 
rapidly recover central functions and trust, needs to become an or- 
ganic part of critical infrastructures, systems, and networks. Aca- 
demic institutions need to be made an active partner in that effort. 

Finally, the need to develop a culture of cybersecurity. At the end 
of the day, we are going to need young people involved with this, 
and we have got a lot of them in the academic and university 
world. We should go there to try to get them involved, to be part 
of the solution, not potentially be a part of the problem. 

In conclusion, I would like to recommend to the committee to 
consider really actively embracing some of the proposed legislation 
that Ranking Member Keating has been advancing to advance re- 
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gional university-based cybersecurity research centers ideally lo- 
cated in several places in part of the country. We need to mobilize 
civil society, we need to mobilize intellectual capital we have in this 
country to address this very urgent problem. 

Thank you very much Mr. Chairman. 

[The prepared statement of Mr. Flynn follows:] 

Prepared Statement of Stephen E. Flynn 
April 24, 2012 

Chairman McCaul, Ranking Member Keating, distinguished Members of the sub- 
committee, thank you for the opportunity to testify about the serious and growing 
cybersecurity threat facing consumers, industry, and government at all levels in the 
United States. The significant vulnerability of critical infrastructure such as the 
electric grid and transportation infrastructure, information and financial systems, 
and everyday American consumers to cyber threats is why today’s hearing is so 
timely and why urgent action by Congress is so needed. 

My name is Stephen Flynn. I am the founding Co-Director of the Kostas Research 
Institute for Homeland Security and professor of Political Science at Northeastern 
University in Boston, Massachusetts. I am also a member of the Homeland Security 
Project at the Bipartisan Policy Center that is led by 9/11 Commission co-chairs 
Governor Tom Kean and Congressman Lee Hamilton. The Nation’s exposure to a 
growing array of cybersecurity threats is one of deep concern to the co-chairs and 
all the members of our group of distinguished National security and homeland secu- 
rity leaders. 

At the Kostas Institute, our mission is to help advance resilience in the face of 
21st Century risks so that America can better withstand, nimbly respond, rapidly 
recover, and adapt to man-made and natural disruptions. As such, we are working 
with our Northeastern colleagues in the College of Computer & Information Science, 
College of Engineering, and College of Social Sciences and Humanities to make cy- 
bersecurity a primary area of focus. We are a particularly interested in better safe- 
guarding industrial control systems that are key to the operation of much of the Na- 
tion’s critical physical infrastructure. 

The Kostas Institute is housed in a new 70,000-square-foot research facility lo- 
cated in the heart of the metro-Boston high-technology corridor where it provides 
a secure environment for innovative translational research conducted by private- 
public-academic multidisciplinary research teams. Northeastern is also home to the 
Institute for Information Assurance, which is one of the National Security Agency’s 
(NSA) Centers of Excellence. In addition, the university is a member, along with 
MIT, Harvard, Boston University, and the University of Massachusetts, of the Ad- 
vanced Cyber Security Center hosted at the MITRE Corporation in Bedford, Massa- 
chusetts. Given the historic leadership role that Northeastern, our neighboring uni- 
versities, and the information technology industry that is concentrated in the metro- 
Boston area have played in high-tech development, we feel a special responsibility 
to help manage, stem, and mitigate the growing risks to critical systems from cyber 
threats. To this end, we are committed to bringing together expert researchers and 
practitioners to identify risks and their potential consequences, to develop next-gen- 
eration secure applications and computing architecture, and to promote best prac- 
tices with our counterparts around the United States and globally. 

nature of the cybersecurity threat 

The cybersecurity threat is one of the most serious economic and National secu- 
rity challenges we face as a Nation. Quite simply, the United States is at risk of 
becoming a victim of its own success. Our position as the world’s dominant economic 
power can be attributed in no small part to the speed at which Americans have de- 
veloped and embraced information technology systems and applications. But while 
we have been leading and benefiting from the information age, there has been too 
little consideration to the security implications of our growing reliance on informa- 
tion technologies. 

A particularly worrisome vulnerability is the extent to which over the past decade, 
more and more Internet Protocol (IP) devices have been replacing proprietary hard- 
ware, software, and communications protocols for the Nation’s physical infrastruc- 
ture. As industrial control systems (ICS) become increasingly accessible to the Inter- 
net, cyber attacks can be launched at the electrical power grid; water and waste 
management systems; oil pipelines, refineries, and power-generation plants; and 
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transportation systems ranging from mass-transit to maritime port operations. An 
attack on these systems by a state or non-state actor, not only places at risk the 
continuity of service or the compromise of databases, but the potential for cata- 
strophic loss of life and destruction of property. This is because computer hackers 
are not only able to infiltrate systems, but they are increasingly in a position to ac- 
tually take control of such systems — turning off alarms or sending bad data that 
falsely triggers an alarm. Unfortunately, bad actors need not be terribly sophisti- 
cated in order to accomplish substantial harm. Because of the interconnectivity of 
our networks, successful disabling of just one critical system can generate cascading 
consequences across multiple systems. 

The U.S. power grid is particularly vulnerable to the risk of cyber attacks and 
given the reliance on power by all other sectors, it deserves special and urgent at- 
tention. As with other large and disbursed infrastructures that make up America’s 
critical industrial landscape, managing the electric grid depends on the operation 
of supervisory control and data acquisition (SCADA) systems and distributed control 
systems (DCS). SCADA systems make it possible to control geographically dispersed 
assets remotely by acquiring status data and monitoring alarms. Based on the infor- 
mation received from the remote station control devices, automatic or operator-driv- 
en supervisory commands can be provided from a centralized location. These field 
devices can perform such functions as opening and closing breakers and operating 
the speed of motors based on the data received from sensor systems. Distributed 
control systems (DCS) are typically facility-centric and used to control localized in- 
dustrial processes such as the flow of steam into turbines to support generation of 
power in an electric plant. DCS and SCADA systems are networked together so that 
the operation of a power generation facility can be well-coordinated with the de- 
mand for transmission and distribution. i 

When most industrial control systems (ICS) were originally installed to help oper- 
ate components of the power grid, they relied on logic functions that were executed 
by electrical hardware such as relays, switches, and mechanical timers. Security 
generally involved physically protecting access to the consoles that controlled the 
system. But, over time, microprocessors, personal computers, and networking tech- 
nologies were incorporated into ICS designs. Then in the late 1990’s, more and more 
Internet Protocol (IP) devices were embraced so as to allow managers to gain better 
access to real-time systems data on their corporate networks. These networks are, 
in turn, often connected to the internet. The inevitable result of this increased reli- 
ance on standard computers and operating systems is to make ICS more vulnerable 
to computer hackers.^ 

Tampering with DCS and SCADA systems can have serious personal safety con- 
sequences since industrial control systems directly control assets in the physical 
world. According to a June 2011 report by the National Institute of Standards and 
Technology (NIST), cybersecurity breaches of industrial control systems could in- 
clude unauthorized changes to the instructions, commands, or alarm thresholds that 
result in disabling, damaging, or shutting down key components. Alternatively, false 
information about the status of systems can be sent that cause human operators to 
make adjustments or to take emergency actions that inadvertently cause harm. If 
a cyber attack leads to a power-generating unit being taken off-line because of the 
loss of monitoring and control capabilities, it could result in a loss of power to a 
transmission substation, triggering failures across the power grid if other sub- 
stations are not able to carry the added load. The resultant blackouts would affect 
oil and natural gas production, water treatment facilities, wastewater collection sys- 
tems, refinery operations, and pipeline transport systems.^ 


^U.S. Department of Commerce. Guide to Industrial Control Systems (ICS) Security, (Special 
Publication 800—82, Jun. 2011) by K. Stouffer, J. Falco and K. Scarfone. 

2 Ibid. 

3 Ibid. 
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POTENTIAL CASCADING EFFECTS OF ELECTRIC POWER FAILURE 



Source: Department of Homeland Seeurity.'* 

A possible scenario hypothesized by the NIST is illustrative: 

Using war dialers — simple computer programs that dial consecutive phone numbers 
looking for modems — an adversary finds modems connected to the programmable 
breakers of the electric power transmission control system, cracks the passwords 
that control access to the breakers, and changes the control settings to cause local 
power outages and damage equipment. The adversary lowers the settings from 500 
Ampere (A) to 200 A on some circuit breakers, taking those lines out of service and 
diverting power to neighboring lines. At the same time, the adversary raises the set- 
tings on neighboring lines to 900 A, preventing the circuit breakers from tripping, 
thus overloading the lines. This causes significant damage to transformers and 
other critical equipment, resulting in lengthy repair outages.® 

When transformers fail, so too will water distribution, transportation, communica- 
tions, and many emergency and Government services. Given the 12-month lead time 
typically required to replace a damaged transformer with a new one,® the local and 
regional economic and societal disruption caused by a cyber attacks that that dis- 
able or destroy the mechanical functioning of key components of the power grid 
would be devastating. 

Beyond this exposure of long-standing industrial infrastructure to cyber threats, 
there is a serious risk to the emerging computing environment as well. As mobile 
devices, from smart phones to iPads have proliferated, so too has mobile malware 
reflecting the painful reality that security still receives insufficient attention by the 
private sector responsible for rushing to market new informational technology tools 
and applications. According to a March 2012 company survey conducted at a major 
IT conference, 68 percent of security professionals reported currently having no way 
of identifying known mobile device vulnerabilities that could be affecting their net- 
works.^ Mobile devices are being targeted to steal users’ authentication credentials 


'^National Aeronautics and Space Administration. NASA Science News. Severe Space Weath- 
er — Social and Economic Impacts. June 2009 at http: ! I science.nasa.gov ! science-news I science-at- 
nasa 12009 121 jan severespaceweather / . 

^U.S. Department of Commerce. Guide to Industrial Control Systems (ICS) Security, (Special 
Publication 800—82, Jun. 2011) by K. Stouffer, J. Falco and K. Scarfone. 3—17. 

® National Aeronautics and Space Administration. NASA Science News. Solar Shield — Pro- 
tecting the North American Power Grid. October 26, 2010 at http: ! I science.nasa.gov ! 
sciencenews I science-at-nasa i 201 0 /26oct solarshield ! . 

“Mobile Device Vulnerability Management Flagged as Top Concern for Security Professionals 
in 2012,” Press Release by Tenable Press Security (Apr 2, 2012) http: I ! finance.yahoo.com I 
news ! mobile-device-vulnerahility-management-flaggedl40900613.html. 
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and financial information. Moreover, as new social networks emerge, users tend not 
to appreciate the permanent availability of data, which can facilitate hackers’ iden- 
tity theft and identity cloning efforts. It is these growing ubiquitous links on the 
internet that makes all Americans vulnerable to cyber threats that can damage very 
practical aspects of our lives. 

THE CASE FOR MAKING UNIVERSITIES FULL-FLEDGED CYBER SECURITY PARTNERS 

The potential contribution of American universities and academic institutions in 
advancing cybersecurity has been largely overlooked by the Executive Branch. There 
are three reasons why this oversight must be redressed. 

(1) The need for expertise and for an honest broker to support public-private 
partnerships. — Universities can help bridge the expertise and trust gap between 
the public sector and private sector in developing standards, and — when appro- 
priate — regulations. Universities can play this role by serving as neutral con- 
veners between the public and private sectors and as arbiters of technical 
issues. Serving in this capacity should be seen as attractive to both the private 
sector and public sector, given the unique challenges for each associated with 
advancing cybersecurity. 

The private sector, left largely on its own, has struggled to establish and enforce 
cybersecurity standards. In some instances this is because the information 
asymmetry associated with moral hazard; i.e., the developer of technologies and 
applications pass along risks because the costs will be disproportionately or 
wholly borne by the IT users that are attracted to the benefits of the tool, but 
lack an understanding of their resultant exposure to cyber threats and the asso- 
ciated consequences. There is also the tragedy of the commons dilemma arising 
from the fact that an entire system or network can be compromised by an at- 
tack on its weakest link. If compliance with a security standard is only vol- 
untary, the vigilant company must worry that one or more of its competitors 
will find irresistible the temptation to forego the added cost of adopting the 
measure in a bid to boost market share or profits. As a result, the system re- 
mains vulnerable to disruption even if the vigilant company places itself at a 
competitive disadvantage by investing in the security measure. 

The traditional way to deal with the problem associated with moral hazard and 
the tragedy of the commons dilemma is by adopting regulations that are well- 
enforced. But, effective regulations largely depend on the public sector having 
the requisite expertise to develop and oversee them. Unfortunately, in the case 
of cybersecurity, the Federal Government continues to face significant chal- 
lenges with recruiting and retaining personnel with the appropriate technical 
background. This is particularly true of the Department of Homeland Security 
and other Federal agencies outside the Department of Defense, the National Se- 
curity Agency, and the intelligence community. 

Universities and the academic community should be enlisted to assist in ad- 
dressing this deficit. Universities can help the private sector identify reasonable 
security options that can be embedded into critical infrastructures without caus- 
ing undue disruption to dynamic and complex systems. Universities can also 
provide the public sector with the expertise that Government policy makers and 
officials need to keep up with the rapid pace and the growing complexity of in- 
formation technologies and applications. Beyond the Office of University Pro- 
grams within the DHS Science and Technology Directorate, Secretary Janet 
Napolitano has embraced the need for such coordination with the university 
community by recently establishing a Homeland Security Academic Advisory 
Council (HSAAC). HSAAC has been created so that the Department has a 
structured way to receive advice and input from university leaders who vol- 
untary serve on the Council, including Northeastern University’s President, Jo- 
seph E. Aoun. In 2011, Secretary Napolitano has also created an Office for Aca- 
demic Engagement and appointed an Executive Director to serve within her of- 
fice. 

(2) The imperative to “bake-in” cybersecurity. — Universities have been and will 
continue to be incubators for information technology and applications. The time 
for thinking about incorporating safeguards is when they are under develop- 
ment, not after they are being widely used by consumers and industry. When 
security measures are an afterthought, they often end up being costly and sub- 
optimal. Developing and maintaining standards that can mitigate cyber threats, 
vulnerabilities, and consequences, and help to sustain or rapidly recover essen- 
tial functions and trust need to become an organic part of critical infrastruc- 
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tures, systems, and networks. Academic institutions need to be made an active 
partner in that effort. 

(3) The need to develop a culture of cybersecurity . — Cybersecurity needs to be 
embedded in our information-age culture. Everyone needs to have a better un- 
derstanding of cyber risks. This will require collaborative efforts that actively 
engage civil society, not just companies and Government agencies. There’s no 
better way to develop this culture than by starting with young people who are 
attending academic institutions. An important way to advance this is to inte- 
grate cybersecurity within and across academic curriculums. Universities 
should be assigned a prominent role in conducting research, developing courses, 
and teaching as many informational technology users and providers as possible 
about the cyber dangers that we face and the security strategies and tactics 
that we need to embrace. The goal should be to create a new generation of stu- 
dents with the sophisticated skills to harness the opportunities of the informa- 
tion age without becoming victims of its dark side. 

THE NEED FOR A COORDINATED RESEARCH & DEVELOPMENT STRATEGY 

While pockets of knowledge exist about new and emerging cyber threats and the 
techniques for better safeguarding systems from attack, too many owners and opera- 
tors of critical infrastructure continue to embrace information-age tools, including 
wireless and mobile devices, without adequately understanding the associated 
vulnerabilities and consequences. Faced with significant resource constraints, the 
Federal Government is largely trapped in the present, racing to respond to known 
threats to critical assets, often at the expense of developing the means to better an- 
ticipate new threats, to map out the associated risks, and to devise appropriate re- 
sponses. There is also a National security imperative to develop offensive capabili- 
ties to deter or respond to attacks by state actors. It’s in these areas that academic 
partners working together with industry and governments at all levels can be par- 
ticularly helpful. 

I applaud Chairman Dan Lungren and the efforts by Ranking Member Keating 
to introduce legislation that recognizes that preparing for and combatting cyber war- 
fare requires robust academic, industry, and Federal research partnerships to de- 
sign and implement secure systems for critical infrastructure. Yet, to date, the Na- 
tion’s cybersecurity leaders have not yet fully engaged the academic research com- 
munity in this effort. Meanwhile, industry is focused more on the near- and me- 
dium-term tasks of developing new products and applications. As the National Acad- 
emies have noted, it largely falls to the Federal Government to play the 
indispensible role in sponsoring fundamental research that is key to developing the 
information technology talent that is used by industry and other parts of the econ- 
omy. Chairman Lungren’s proposed legislation appropriately recognizes the vital im- 
portance of a coordinated Federal program of research and development to advance 
cybersecurity. 

In 2010, the DoD-commissioned JASON Report, Science of Cybersecurity, outlined 
the need to establish cybersecurity science-based centers within universities and 
other research institutions.® These Federally-funded centers would provide Govern- 
ment sponsors with access to the regional clusters of innovative ideas and academic 
experts while concurrently facilitating exposure by researchers to agency experience 
and expertise in managing cyber threats to Government networks. One priority 
should be to map the risk and potential cascading consequences associated with 
cyber attacks on critical physical infrastructure. A second priority should be to ad- 
vance research that can support the development of technology and automated ap- 
proaches to detect and mitigate attacks. And another priority should be to enrich 
our understanding of the human and social aspects of managing cyber 
vulnerabilities since advancing cyber security involves much more than technical 
problems. 


REGIONAL UNIVERSITY-BASED CYBERSECURITY RESEARCH CENTERS 

Since information and communications networks are largely owned and operated 
by the private sector, regional university-based cybersecurity research centers 
should be assigned the task of facilitating an exchange among industry. Govern- 
ment, and academic partners to test data and transition new ideas into the rapid 
adoption of research and technology development innovations. Regional university- 
based centers should be assigned as their primary mission, developing strategies to 
improve the security and resilience of information infrastructure and reducing the 


8 “Science of Cyber-Security” JASON, The MITRE Corp. JSR-10-102 (Nov 2010) http:! ! 
www.fas.org/irp/ agency /dod/ jason / cyber.pdf. 
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vulnerability, mitigating the consequences, and speeding the recovery of critical in- 
frastructure in the face of cyber attacks. 

As a stepping-off point, these regional university-hased research centers should be 
tasked with working with U.S. National research laboratories to develop a detailed 
profile of the physical-cyber risk to the electric grid and developing options for miti- 
gating that risk. Understanding the technical elements of the cyber threat to the 
power grid is a complex, multi-disciplinary challenge, that requires an under- 
standing of networking and protocols, software and machine architecture, formal 
methods and high-performance computing, nanotechnology, and quantum and com- 
pressive imaging, to name a few. Implementing potential solutions will involve an 
intricate array of not just technical tools, but appropriate procedural protocols, pub- 
lic policy, and regulations. To accomplish this task, the Department of Energy and 
the Department of Defense should actively support a directed research program that 
involves a collaborative effort amongst the U.S. National research lahoratories, elec- 
tric utilities, and the university-based cybersecurity research community to simulate 
real-life conditions, systems, and infrastructure, that would lead to the discovery, 
testing, and analysis of state-of-the-art tools, technologies, and software in a sci- 
entifically rigorous manner. Concurrently, the research program should identify pol- 
icy guidelines and incentives for quickly integrating those tools, technologies, and 
software into the power grid to bolster its resilience in the face of the cyber threat. 
This effort should be undertaken with close collaboration with Canada given the 
interconnected nature of the regional grids in the East and West with the provinces 
of Canada. 


ECONOMIC DRIVERS 

Advances in networking and information technology are key economic drivers, 
crucial to maintaining America’s global competitive position in energy and transpor- 
tation, food and manufacturing, education and life-long learning, health care, and 
National and homeland security. If the recent past is a guide, these advances will 
also accelerate the pace of discovery in nearly all other fields. In the end, capital- 
izing on America’s peerless standing in higher education by creating regional uni- 
versity-based centers to advance cybersecurity, will provide a rich return on invest- 
ment for the Nation. 


CONCLUSION 

Beyond the risk of a detonation of a weapon of mass destruction on U.S. soil, no 
security challenge is currently more serious to the United States than the on-going 
risk of cyber attacks. The security of our public and private cyber networks is vital 
to assuring the reliability of the electric grid, transportation systems, and banking 
and financial systems, and consumers. Continued research collahoration with aca- 
demic and industry partners is an important function for the Federal Government 
and vital to improving homeland security. Such partnerships provide an important 
return on investment as Government receives solutions tailored to its security 
needs, university partners employ some of their best researchers and students in 
an effort to develop new technologies, and the next generation of STEM profes- 
sionals get the skills and training they need to enter into homeland security careers 
that benefit the Nation. I strongly recommend that this subcommittee direct the De- 
partment of Homeland Security to build on Secretary Napolitano’s recent academic 
engagement efforts by more actively incorporate university partners, including es- 
tablishing regional university-based cybersecurity research centers, to support the 
DHS’s efforts to develop public-private approaches to preventing, responding, and 
recovering from future cyber attacks. 

Thank you again for the opportunity to testify today. I would be happy to answer 
any questions you may have. 

Mr. McCaul. Thank you Dr. Flynn. 

In fact, I offered an amendment, and Ms. Clarke was helpful 
with that amendment, that would basically look at these consor- 
tiums, university-based and fusion center. The bill that I intro- 
duced, that passed unanimously out of the Science and Technology 
Committee will be on the floor this Thursday, does create a public- 
private partnership between the universities and the public sector 
and the private sector in a task force. So I think that is a step in 
the right direction. 
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I completely agree with your analysis on that point, that univer- 
sities can play such a critical role. We also have a Federal scholar- 
ship program for service in the Federal Government in that bill. 

So with that, I just want to — one of the reasons we wanted to 
have this hearing — we have historic legislation on the floor on cy- 
bersecurity for the first time in many years, and we wanted to call 
to the attention of the American people and to Members of Con- 
gress as to what the real threat is. I have been dealing with this 
issue for a long time, but I think it is important that the American 
people, who most of them don’t understand this issue, have a better 
idea of what is at risk. 

You know, when I look at the theft of intellectual property to the 
tune of $1 trillion, that is a serious economic issue for the United 
States; when I look at countries like China who have stolen our 
Joint Strike Fighters, F-35 and F-22s, stolen those blueprints so 
they can manufacture those planes and then guard against those 
planes; when you look at China and Russia who have hacked into 
every Federal agency in the Federal Government, including the 
Pentagon. 

You know, we talk about the analogy, agents of a foreign power 
caught with paper files walking out with classified or nonclassified 
information, it will be all over the papers. But yet in the virtual 
world, that is happening and no one seems to know or really pay 
attention to it. 

Then the final piece. There is the espionage, the stealing of mili- 
tary secrets, satellite technology, rocket technology out of NASA, it 
is prevalent, it is everywhere; and when I look at the cyber warfare 
piece, that is the one that keeps me up at night the most. 

As we know, the genie is out of the bottle, just like nuclear weap- 
ons. It can be turned against us. We know what our offensive capa- 
bility is and it is pretty darn impressive. That capability turned 
against us, I think is what frightens us, and who would have the 
motivation to do that. 

So my first question is to Mr. Henry. You said that we are really 
just hitting the tip of the iceberg and that the biggest threats are 
below the waterline. Can you expand on what these bigger threats 
are beneath the tip of the iceberg? 

Mr. Henry. Yes, sir. Thank you. Let me, if I could just clarify 
my statement that I made about the sense of urgency. I certainly 
recognize everything this committee is doing. My concern is the ho- 
listic response of our society, public, private, other Government 
agencies, and citizens themselves. So I wanted to make sure that 
was clear. That was my concern. 

When I talk about below the iceberg, I really talk about what is 
being seen on the classified side. Certainly in this environment, I 
can’t go into details. But when you have people like General Alex- 
ander from NSA, and General Hayden, former CIA and NSA, and 
Admiral McConnell, the Director of National Intelligence, Joel 
Brenner, the National Counterintelligence Executive, when you 
have people, they have all seen below the waterline. When they are 
standing up saying what they are saying, I think people need to 
listen to that and understand that when you have got the senior 
leadership of the Government talking about how significant and 
substantial this threat is, they have seen below the waterline, they 
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have seen that big piece of iceberg the average person just never 
gets to see. What they hear about and see about in the media is 
really just a very small portion. I think some of the witnesses here 
kind of alluded to that and talked about some of the concerns about 
SCADA systems, industrial control systems, some of the threats to, 
as you mentioned, our cleared defense contractors. The threats 
there are so voluminous and so large and the implications — while 
certainly a threat of a credit card being stolen is absolutely impor- 
tant and I recognize that — but when you talk about the plans to 
our next generation weapon systems and our adversary being able 
to prepare a defense today or to build devices that can counter or 
actually exceed our capabilities, that is a significant danger to this 
Nation and people have to understand that. 

Mr. McCaul. When we talk about cyber Pearl Harbor, and I 
have the director of NSA telling me it is not a question of if but 
when, where do you see the biggest threat coming from? 

Mr. Lewis. I think it is two of the groups I mentioned, Mr. 
Chairman. I don’t worry about China and Russia. They are not 
going to start a war just for fun. But I don’t know if I would say 
that for Iran or North Korea when they get the capabilities. I know 
the full committee is going to have a hearing on Iran on Thursday, 
but they have a little bit of a grudge match. They feel like we are 
somehow responsible for Stuxnet and they are trying to create a 
cyber army. 

The other group to watch, and the group that is more interesting 
that I think we have all raised, are these hacker groups who have 
anarchic or anti-Government tendencies, very strong cyber skills, 
some of them have excellent hackers involved. There are so many 
vulnerabilities and there are so many tools that eventually — you 
know, the line I always refer to is a headline we saw last year 
about how Anonymous declares war on Orlando, right? Well, what 
that meant was they defaced the Orlando City website. Maybe a 
year from now they will be able to do a little bit more, and I think 
we are on track to find that out the hard way. 

Mr. McCaul. Well, my concern with those groups is that they 
sometimes may be — organized crime may be the real perpetrator, 
but they take the credit for it and sort of provide a ruse. 

I see my time is expired. I can ask a lot more questions, but 
thank you for being here today. 

With that, I recognize the Ranking Member Mr. Keating. 

Mr. Keating. Thank you, Mr. Chairman. 

Two things that were raised. The idea of incorporating protec- 
tions into the design work, and another issue that was raised was 
the fact that you had companies that have been victims of attack 
and haven’t been forthright in acknowledging what that is or the 
extent of it, what damages they had or what happened. 

I think those two things call into question again the role that 
academia can play in this regard, being more neutral and being 
part of design. 

With that, I would like to ask Dr. Flynn what on-going research 
projects are in place, not only in your university but around the 
country that you are aware of? How can Congress act to extend 
those and make that more beneficial in our efforts against cyberse- 
curity attacks? 
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Mr. Flynn. Thank you very much for your question, Ranking 
Member Keating. It is probably a bit overstated to say they have 
been missing in action, but it is not too much overstated. I mean 
to a large extent, we really have not engaged our academic commu- 
nity to work at this problem at the outset of it. Clearly we have 
some infrastructure in place. The Department of Homeland Secu- 
rity has centers of excellence that have been set up, the National 
Security Agency has created similar kinds of output. So you have 
some outreach to engage some of this enormous intellectual capital 
we have. But we really haven’t gone into the universities and given 
the challenge, the kind of things that we have done in past history 
where we have really embraced that intellectual capital and fo- 
cused it and channeled it in a constructive way. 

In our area of the country up in the Northeast, in fact, five uni- 
versities — Harvard, MIT, Boston University, University of Massa- 
chusetts, and my own Northeastern University — have come to- 
gether with some private-sector players to build an advance cyber- 
security center. Some of the folks who were in on the origin of help- 
ing to drive the information age feel some responsibility to help 
work it. But to the extent that kind of regional effort, we have clus- 
ters of expertise, and we have them in Texas, we have them in Se- 
attle, we have them in big pockets across our country, the sense 
that we can harness that, I think through regional efforts, will be 
an enormously positive contribution, both to set the alarm, set the 
challenge, engage folks and then ultimately to work toward some 
solutions. 

Mr. Keating. Thank you. Dr. Flynn. 

You mentioned, and Mr. McClure mentioned, that there are ac- 
tual, now, transitions into physical danger; people can be mur- 
dered. I wanted to first address this to Mr. Henry and then anyone 
else that might want to comment on this. 

But what can we do in Congress to — I am a former prosecutor 
myself — what can be done to extend — I would imagine the jurisdic- 
tional issues would be difficult even if you are successful in finding 
out who is responsible for these actions. But Mr. Henry, what can 
be done here in Congress to help that effort, because it will help 
not only bring people to justice that are responsible, but it would 
help as a deterrent as well. I would imagine one of the things that 
is difficult in this is finding a deterrent when people do this, be- 
cause they might feel that they are, in a criminal sense, judgment- 
proof or not being able to prosecuted. So do you have any sugges- 
tions as to what we can do in Congress in that regard? 

Mr. Henry. Yes, sir. I think that you hit on it right there. With 
the Computer Fraud and Abuse Act primarily, we are looking at 
stiffening the penalties for the breaches and for those who are 
stealing information. I think that the deterrence is critical. I said 
that we have an adversary problem. These are adversaries who are 
launching viruses, who are launching Trojans, who are breaking 
into computers. There are people, and by reaching out and touching 
these people and taking them off the playing field, we are having 
an impact on the threat. It is a way for us to mitigate the threat. 
Stiffer penalties that are more rigorous, certainly from an enforce- 
ment perspective or an investigation perspective, I think we will 
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have a larger impact and will raise the cost of adversaries for what 
they do on a day-to-day basis. 

Mr. Keating. What can we do in terms of international coopera- 
tion in this regard? Because they can be launched from any coun- 
try, any jurisdiction. 

Mr. Henry. Absolutely. Anybody, anywhere in the world with an 
internet connection and a $500 laptop is a potential subject in any 
investigation. The attribution, to who may have done that type of 
attack, is a critical piece. 

When I was in the FBI, we worked very, very closely with foreign 
partners. The Bureau continues to do that, as well as other agen- 
cies, where we actually put FBI agents into the National police 
agencies of a number of countries in Eastern Europe and Western 
Europe, physically sitting side by side, working these investiga- 
tions. I think we have to continue that both from an intelligence- 
sharing perspective and from collaborative investigations. 

Mr. Keating. We have security treaties with other countries. 
Can you see that being expanded in terms of cybersecurity treaties 
with other countries around the world and expanding that to a 
greater level? 

Mr. Henry. I think that has got to be a constant dialogue. I 
mean, this is a problem that doesn’t face just the United States. 
It faces good societies and good people around the world. People are 
using this as a tool and as a weapon to promote their means and 
to promote their criminal operations. We have to have that dia- 
logue regularly. 

Mr. Keating. Thank you, Mr. Chairman. 

Mr. McCaul. I thank the Ranking Member. The Chairman now 
recognizes the Ranking Member of the full committee, Mr. Thomp- 
son, for 5 minutes. 

Mr. Thompson. Thank you very much, Mr. Chairman. I agree 
with all of the comments that have been made relative to the seri- 
ousness of this issue. I listened with great interest to our panel of 
witnesses, and I am going to kind of ask for a little more help from 
you with my questions. 

If you were sitting in our seat, having to craft legislation that 
would provide the tools that you think would be necessary to get 
our hands around this issue, given what you know and the serious- 
ness of this issue, what two or three things do you think that kind 
of cybersecurity legislation would need? Mr. Henry, I will start 
with you. 

Mr. Henry. The first one, for me, that I think is the most critical 
is data breach reform, data breach reporting. Currently there are, 
as the committee knows, I am sure, 47 State data breach laws. 
There is a lot of confusion that I see in the private sector, from or- 
ganizations that are breached, on to whom to report and when to 
report. I think the failure to report is a problem for all of us. I 
think that those companies, those infrastructures in those organi- 
zations are being used by our adversaries. They are part of the 
problem. If that is not reported, if there is not some type of remedi- 
ation done, that continues to be a problem. 

From my perspective, when I was in the FBI, in some of our 
most successful cases where we were able to effectively reach out 
across oceans and put our hands on people, it was really the times 
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when organizations came forward very quickly, which enabled us 
to get attribution through analysis of their network in collaboration 
with them. That is really, really critical. So data breach reporting. 

The second one is intelligence sharing, the ability for the Govern- 
ment to share broadly across infrastructure, to help raise the de- 
fenses, and to make organizations much more secure by providing 
some of those signatures that are not necessarily out in the hands 
of the general public but will enable critical infrastructure and or- 
ganizations as a whole to better protect themselves. 

Mr. Thompson. Mr. Lewis. 

Mr. Lewis. Thank you. There are some very useful bills in the 
House and they will do some good things. But the ultimate test will 
be: Do you give the Government more authority to mandate secu- 
rity, to protect critical infrastructure facilities? If we don’t do that 
this year, an attack is inevitable. Now, I know that there is a lot 
of contention on this issue, and I know there are questions about 
the ability of some agencies to carry out this function. But the ulti- 
mate test will be, do we require better security for critical infra- 
structure? If the answer is no, the Congress will have failed. 

There are good things on the information-sharing side, on the re- 
search side, but the ultimate test is critical infrastructure. 

Mr. Thompson. Mr. Wilshusen. 

Mr. Wilshusen. I would also echo what each of my colleagues 
have mentioned, but I will also talk to clearly define what the roles 
and responsibilities of the Federal agencies are in Federal Govern- 
ments with respect to not only protecting and securing its own sys- 
tems but also the support and assistance they can provide to the 
private sector and protecting particularly critical infrastructure 
sectors. 

Mr. McClure. I agree on the information sharing. I think it is 
absolutely key. But the only downside is that it is very reactive. 
The proactive side of it would be to really think about, how do you 
provide guidelines, either incentives or mandates, around secure by 
design? You know, a power plant might not be able to control how 
a PLC is designed from Germany, but they can absolutely not buy 
that PLC if it is not secure. So it is up to them, and I think we 
can provide better guidance, sir, on that. 

Mr. Flynn. Everything I have heard so far are things that I 
would endorse. I would certainly endorse the legislation, Mr. Chair- 
man, you are trying to advance as well with the Ranking Member. 

I would add, one of the areas that we really need to do a better 
job at the risk mapping; particularly across infrastructure, we have 
got a sector-by-sector approach. When you hit one, what we don’t 
have is a very good understanding of how the loss of that one could 
impact on others. So I know the Department of Energy is looking 
into this. But this is something, I think with legislative support, 
let’s map what the consequences are of these attacks. That is a 
great motivator for people to get into the prevention mode. I think 
that could be very important. 

The other key area I think is, err on the side of openness. The 
hearing is doing, I think, a great public service. But a lot of the 
approach we have taken to date is work that is below the surface. 
You are not going to get the American people willing to invest, 
companies willing to invest, unless we talk about the problem with 
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greater candor and with more specificity. I think we need to essen- 
tially err on the side of being more open about the risk to 
vulnerabilities, but obviously develop solutions for attacking these 
problems. Thank you. 

Mr. Thompson. Thank you. I yield back, Mr. Chairman. 

Mr. McCaul. I thank the Ranking Member. 

The Chairman now recognizes the gentleman from Missouri, Mr. 
Long. 

Mr. Long. Thank you. Thank you all for taking your time to be 
here today on this important subject. I would be remiss. Dr. Flynn, 
if I didn’t mention that for the last few months, I have had a young 
lady from your university. Northeastern, interning in my office. If 
she is emblematic of your university and of college students today, 
I would say that this country has a very bright future. 

Mr. Flynn. They are all exactly like her. 

Mr. Long. All righty. Send me some more, will you? 

In 1941, my dad was a junior in high school. So he and people 
of his vintage can tell you where they were during the attack on 
Pearl Harbor. I can tell you where I was when JFK got assas- 
sinated. I can also tell you where — most people 16 years and older 
can probably tell you where they were on 9/11. We all remember 
that. I think I can predict with great certainty where I will be 
when we have our first devastating cyber attack. I have two op- 
tions: I will either be in a full committee hearing on cybersecurity 
or a subcommittee on cybersecurity. We are good at talking things 
to death. It seems like we go over this again and again and again, 
but I have yet to really have anyone add any concrete steps that 
we can take to prevent such a horrific attack. 

So, Mr. Lewis, if I were to ask you — I heard one a minute ago — 
but your top three priorities or things that we can do, take to the 
Congress to try to address this situation, because we keep talking 
it and talking it and talking it. The top three things that we can 
do. Just pick out three things that you think are the most vital 
that we can truly make an impact on this situation at preventing 
cyber attacks. 

Mr. Lewis. You know a lot of the legislation that is before the 
House and before the Senate does good stuff, but it doesn’t do 
enough. So we have got to think about a comprehensive approach. 
For me, the most important step that we are not taking is thinking 
about how to deal with the issues of critical infrastructure vulner- 
ability. The difference between now and, say, 5 years ago — 5 years 
ago, it was difficult to say how to secure networks. Now I think we 
can tell you how to secure networks. People will not do it, though, 
unless 

Mr. Long. Let me ask you — let me interrupt you for a second. 

Mr. Lewis. Sure. 

Mr. Long. Before I came to Congress I was in a business where 
there was a large group of people that all needed to access, from 
several different companies, but access the same information on 
the internet. We would carry a fob with us that had — I think it was 
a nine-digit number and that number would change about every 90 
seconds. So if you wanted to log onto your computer — systems like 
that, would those be beneficial on a wider scale, or not? 
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Mr. Lewis. Remember, what was it, last year we had a story 
about — it was a false story but people got all excited because they 
thought that Springfield, Illinois, had their water system hacked. 
That turned out to be not true. But the story behind it was actually 
a little scarier, because they weren’t hacked. The contractor was 
calling in from Russia. I thought to myself, “That is bad in so many 
ways, right?” So yes, having a requirement for people to better au- 
thenticate themselves when they log into critical infrastructure 
networks would be a good step. There are other things we can do. 
But right now 

When I told you about this search software that would find 
vulnerabilities, the easiest vulnerability to find is — you all know 
when you have bought a computer, when you have bought a router, 
that it comes configured with the username as “administrator” and 
the password is “password.” If you go out and look at critical infra- 
structure, you will find some networks have not been reconfigured. 
So getting people to reconfigure, getting people to better authen- 
ticate, getting people to think about what they have attached to 
their systems, all of these would make a big difference. 

When you talk to companies and you say to them, “Do you have 
your control systems connected to the internet?” Almost all of them 
say no, right? When they say that, they believe it. Now it turns out 
they are always wrong, right, they don’t know because these are a 
lot of computers. Nothing malicious here. But getting people to 
have a better understanding of what is connected to the internet, 
how it connects, and who can use it, these are all things we can 
do, but it won’t happen magically. So that is where Congress could 
make a very big difference. 

Mr. Long. Okay. You were talking about Springfield, Illinois, a 
false story out of there. 

Springfield, Missouri, my hometown. I have said this before in 
committee hearings. But we had a small title loan company that, 
over the weekend, had $440,000 removed from their account and 
it went to Pakistan, which we don’t know if it went on to benefit 
al-Qaeda or what from that point. 

But one real quick wrap-up question for Mr. Henry: Why am I 
concerned if it is China, Russia, Iran, why do I care where these 
attacks come from? Don’t we need to be concerned with combating 
the problem more than where it is coming from? Everybody goes 
back to where it might be coming from. 

Mr. Henry. Well, sir, I think that it is really important for us 
to understand who the adversary is so we can take other actions. 
I say that we have an adversary problem. I think there are things 
we can do as a Government to define for the adversaries what the 
red lines are and what the repercussions are for crossing those red 
lines. So if in fact we were able to identify that a particular country 
took the plans to our next-generation fighter plane, that we would 
take actions, as a country, against them, whatever it may be, 
whether it be diplomatic, economic, or military. 

Mr. Long. But to prevent that from happening the next time 

Mr. Henry. So from my perspective, I think if we, as people who 
are monitoring security on networks, have an understanding of 
who the adversary is, the tactics, techniques, procedures that they 
are using, the information that they are going after, we can get a 
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better sight picture of who that adversary is, and it helps us to bet- 
ter defend. It helps us from a strategic perspective. 

If you are protecting the network and you know a particular 
country is looking for plans to a particular device, you can change 
how that data is stored, you can change how it is transmitted, you 
can change how it is maintained on the network. There are actu- 
ally procedures that network owners can take to better defend 
themselves. 

So I believe that using intelligence and by being proactive, you 
can be predictive and then preventive. You can predict who is going 
to attack what and where, and it helps you prevent. 

Mr. Long. I am way past my time. I yield back. 

Mr. McCaul. I thank the gentleman. 

Just on the point of specific recommendations, I wanted to brag 
on my colleague, Mr. Lewis. The CSIS report made many specific 
recommendations. Some have been taken up by the Congress and 
some have not, but I want to thank you again for that great work. 

With that, I recognize the gentlelady from New York, Ms. Clarke. 

Ms. Clarke. Thank you very much Mr. Chairman. I thank our 
Ranking Member for this very important Oversight, Investigations, 
and Management Subcommittee hearing. I want to associate my 
comments with the comments of Mr. Long about frustration when 
it comes to to this conversation about the urgent action that is re- 
quired to protect our Nation’s infrastructure from the constant bar- 
rage and bombardment, the attack on our systems, because it just 
seems as though we just keep having this conversation. Under- 
standing the threat that we are under, understanding the constant 
attack that we are under, but we are not making the types of head- 
way that we need to make. 

All of us have a role to play here. We have a legislative role to 
play. It seems that we tinker at the margins. I am very concerned 
that — you know, as a New Yorker, someone who could not have 
imagined that airplanes could be turned into missiles, that we are 
not imagining the real devastation that we could be under with the 
click of a mouse at any point in time. So, gentlemen, I think — you 
know your expertise is well noted. 

One of the things that I would like to ask of you is whether you 
have had an opportunity to review the bill that was passed out of 
the Homeland Security Committee for cybersecurity and whether 
any of you are in a position to comment on that legislation? 

This is Cybersecurity Week. There are a number of bills that are 
moving to the floor to be passed this week, but none of which have 
the level of comprehensiveness as the bill that was passed out of 
this committee; yet that won’t be taken up this week. So I am just 
trying to figure out how serious we are here and what each of you 
respectively believes should be the next move of this legislative 
body when it comes to legislation. 

Don’t all click at once. I don’t want to put anyone on the spot. 
Some folks may not have had an opportunity to see it yet. But Mr. 
Lewis, you are nodding so maybe you can 

Mr. Lewis. Yes. I think I am the stuck key on this one initially. 

The original bill that emerged from the committee I think was 
a very strong bill and would have gone a long way to putting us 
in a better position than we are today. I think a lot of people were 
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surprised when we saw the amendment. The easiest way to de- 
scribe it is the original bill was, I believe, 45 pages and the amend- 
ed bill was 34 pages. So the question you want to ask is: What was 
in those 11 pages that came out? If I had any advice, it might be 
to add those 11 pages back in. These are always difficult issues. 

If I have learned one lesson this year, it is that you shouldn’t try 
to do major legislation in an election year. But I think this is a case 
where we can put the two bills side by side and see one — and I ap- 
plaud the authors of it — one was very strong. The other is less 
strong. So maybe we need to reconsider. 

Mr. McClure. I am not detailed around some of the bills that 
have come up. But I will say that we have always found that incen- 
tives tend to motivate quite a bit, but they have to be specific. Any- 
thing around, for example, finding the problem before a bad guy 
does or finding the vulnerabilities, for example, and then patching 
and fixing them in an acceptable window of time, what we call the 
window of exposure, right? 

We are also enforcing, as we talked about earlier, enforcing 
strong authentication. It is really hitting — if you can just hit the 
80/20 rule of security, which is that 80 percent of the risk is rep- 
resented by 20 percent of the problems, you are going to go a long, 
long way to making it simple to do, but also very impactful. 

Mr. Flynn. If I might just add, clearly one of the core issues has 
been, to what extent should Government play a more enforcement 
role. Clearly one of the issues that we have seen laid out here is 
the market has not been able unto itself to figure out how to put 
together adequate standards that are essentially being enforced 
within the market to deal with this risk. What has been particu- 
larly a problem is information providers interacting with critical in- 
frastructure owners, people in the physical world who often are un- 
aware of the vulnerabilities that they are investing in. 

There is a moral hazard problem there. We typically deal with 
moral hazard through some form of standard-setting and enforce- 
ment of that standard. The bottom line here is that this is an inter- 
esting philosophical battle. But at a practical level, we need a much 
more mature process for identifying standards and figuring out 
how to enforce them. So where I think we should be more creative 
is around third parties as a fee-based approach, whatever is re- 
quired here. But at the end of the day, purely voluntary approaches 
I think will not get us to where we need to be. 

Ms. Clarke. Thank you, Mr. Chairman. I yield back. 

Mr. McCaul. Thank you. The Chairman now recognizes the gen- 
tleman from South Carolina, Mr. Duncan. 

Mr. Duncan. Thank you, Mr. Chairman. Just a quick question: 
If Congressman Long sent a tweet out during a hearing on cyberse- 
curity, is that a contradiction? 

I just got a Facebook message from someone that said, “Please 
vote ‘no’ on SISA, SOPA, PIPA, and H.R. 1981.” 

There is dramatic concern within the populace that there will be 
a Government overreach as we try to protect American systems on 
the private sector and the public sector. So I think we have got to 
tread lightly. What has been a concern of mine is: Where do we 
cross the line as a Government trying to protect our citizens when 
it comes to civil liberties and private information that will be not 
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only captured during this process but possibly retained? We had a 
long debate about retention of that and when it should be eradi- 
cated from the computer files. But is it ever really eradicated? 
There are a lot of questions that came to mind during that debate 
that I think are definitely worthy of further discussion, especially 
this week. 

But Mr. McClure, I have got a question for you: What is the role 
of the public sector in protecting the United States Government in- 
stitutional systems and the role of the private sector, primarily the 
free market, which I firmly believe that the free market can do it 
better than any Government entity? 

A case in point would have been Cash for Clunkers. If a private 
entity would have been running that program, I don’t think we 
would have seen the problems that we saw from the dealers. 

So primarily the free market, in finding solutions to protect 
American systems, both public and private. So where is that bal- 
ance? From the Federal Government, the public sector, trying to 
protect its institutions and also raise awareness of this, but the pri- 
vate sector and the free market finding those solutions for us. 

Mr. McClure. Well, I think that when it comes to the private 
sector, obviously the buck is what motivates, right? So if they can 
either sell more stuff, more products, more widgets, because it is 
secure or because it is more secure than a competitor, that draws 
a lot of interest. So from an incentive perspective, that works out 
quite well. 

I think when you start to move to the public sector, there is little 
incentive around that of making an extra buck. So from that per- 
spective, I think you know more mandates and more guidelines 
have to be enforced. Now, where the two come together, in my 
book, is they really haven’t, up until this point, and they need to 
in some form or fashion bring together both sides at the top levels 
to — not just for information sharing but also for helping to set and 
establish the guidelines that each other will be measured against, 
if you will, around security. Because this is very — it is actually 
quite simple to prevent a lot of bad stuff from happening that is 
just not happening. That has been the frustration in doing this for 
20-plus years, is we know what solves this problem. It is just an 
issue of getting people to move and act to do it, and making it a 
priority within their organization. That is the bottom line. 

Mr. Duncan. I know academia is working with both. So I am 
going to ask you to step out of that and ask — we have got some 
public entities there. Do y’all want to answer that question? Do you 
want to chime in on that? 

Mr. Lewis. Well, two points: It is a good question. The first is 
knowing the work that Chairman Rogers and Ranking Member 
Ruppersberger have done on the bill. It is not SOFA, right? There 
is an effort to try to tag SOFA to it because everyone hates SOFA 
and they go ballistic when they hear it. 

They have made an effort to protect privacy. I think the changes 
in that bill are essential. You know, they update old legislation 
from the 1980s, from dial phones and copper wires, to let Govern- 
ment and companies work together better. So when I look at the 
bill, I don’t think it poses a great risk to privacy. I realize there 
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are concerns. Perhaps when it goes to conference or when it moves 
along in the voting process, those can he addressed. 

Mr. Duncan. Thank you, Mr. Chairman. I don’t have anything 
further. I yield back. 

Mr. McCaul. Thank you. The Chairman now recognizes the gen- 
tleman from Illinois, Mr. Davis. 

Mr. Davis. Thank you very much, Mr. Chairman. Thank you, 
gentlemen, very much for being here. 

I guess we have always been concerned about the economic im- 
pact and never have we been more concerned about it than now. 
I often hear people try to estimate, say, what the cost of security 
operations are, what the impact of 9/11 has been on our economy, 
and what the economy would be like perhaps if we had not experi- 
enced that attack, and all of the different things that we have had 
to do to try to prevent it from occurring. 

There are estimates and studies that have suggested that there 
might be as much of an annual cost of about $40 billion a year 
from cyber attacks. Do any of us know how that information was 
arrived at, or the basis upon which those estimates are being 
made? 

Mr. WiLSHUSEN. I would just say from our view, we don’t know 
exactly how that information has been derived or the methodology. 
Indeed, in many cases we have found that cyber crime is often 
underreported and the amounts and estimates that are made, they 
vary widely from, you know, tens of billions to hundreds of billions. 
So the actual amount that has been the result of cyber crime, it 
is hard to really difficult. But it is likely to be a very large number. 

Mr. Lewis. If I could just add to that. I used to think that people 
just used a magic eight ball and if they didn’t like the number, 
they flipped it. But there are a couple of things we can look at. 

The first is I would note that the National Intelligence Council 
is attempting to estimate the cost of cyber losses. The Economic In- 
telligence Unit, which is a branch of the Economist magazine is 
doing it. Cambridge University is doing an estimate. So in the next 
year, we might see three estimates. 

One thing you could look at is you could look at Germany which 
did its own estimate of its losses through cyber espionage, economic 
espionage. I believe the figure they came up with was about $24 
billion. Now the U.S. economy is five times as large as the German 
economy, so that gives you a range. We don’t have a good figure, 
but we are working on it. It looks to me like it will be in the low 
hundreds of billions. 

Mr. Flynn. I was just going to add. Congressman, that I think 
you made a very compelling analogy. The cost often is what hap- 
pens after a catastrophic event. So when we have a cyber Pearl 
Harbor, that is where we really start to see the numbers, in part 
because of the rush to deal with the uncertainty. 

The case I try to make to my private-sector friends when we talk 
about these issues, we are. No. 1, trying to prevent things, but we 
are also trying to prevent the overreaction, the associated cost. 
That is why getting standards at the outset, agreed upon, that pass 
the smile test, those are critical in terms of protecting our economy, 
protecting the market against these kinds of threats. 
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Mr. Davis. There are some people who think that we might he 
engaged in a hit of overkill in terms of how much time, energy, ef- 
fort, money, everything else that we are putting into the notion of 
trying to create as secure an environment as we can possibly have. 
What would you say to people who express that kind of thought? 

Mr. McClure. I would say that it is a little shortsighted, that 
it is as big as you hear, and probably three to four times. I have 
done countless, hundreds and hundreds of investigations, incident 
response exercises, and have cleaned up after. I can tell you that 
the estimates that have come from all those engagements are typi- 
cally far diluted because of their — No. 1, just inability to actually 
quantify the loss. The attempts to do it are quite flawed, especially 
because of the urgency of the remediation attempts. So for me, it 
is highly underestimated. 

Mr. Davis. So you would still say the old adage that an ounce 
of prevention is worth much more than a pound of cure? 

Mr. McClure. Without a doubt. 

Mr. Davis. Thank you, gentlemen, very much. Thank you, Mr. 
Chairman. I yield back. 

Mr. McCaul. I thank the gentleman. Let me just in closing say, 
first of all, thank you for being here. You provide great insight. 

We do have four bills going forward this week. With respect to 
the bill that passed out of this committee, I do believe it has the 
core components that the Secretary and the director of NSA asked 
for, and that is codification of existing legal authorities and an in- 
formation-sharing system through the National Cybersecurity and 
Communications Integrations Center. We also have the ISECS out 
there as well. 

I know the Intel bill also makes DHS a hub for cyber threat in- 
formation sharing within the Government. I think anytime we deal 
with the private sector, we always have to be careful of that bal- 
ance of incentivizing versus unduly burdensome mandates. It is al- 
ways a balance between security and that. I would always prefer 
to incentivize when possible. But this is a very, very important, se- 
rious issue. And it is my sincere hope, as I mentioned to the Rank- 
ing Member of the full committee — you being Ranking on the cy- 
bersecurity committee — that we can work together on this impor- 
tant legislation. The issue is too important for the American people. 
I think everybody standing up here or sitting here at the dais un- 
derstands that. 

So with that, we thank the witnesses again. Without objection, 
this hearing is adjourned. 

[Whereupon, at 3:35 p.m., the subcommittee was adjourned.] 
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Statement of John Watters, Chairman and CEO, iSIGHT Partners, Inc. 
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Chairman McCaul, Vice Chairman Long, Ranking Member Keating, and other 
distinguished Members of the subcommittee, thank you for the opportunity to offer 
testimony to the Subcommittee on Oversight, Investigations, and Management. 

My name is John Watters and I am the Founder, Chairman, and CEO of iSIGHT 
Partners, Inc, a highly-specialized cyber risk management company. We launched 
over 5 years ago to help the public and private sectors assess and adapt their secu- 
rity measures against the rapidly intensifying cyber threat environment. The in- 
sights we provide into adversarial capability drives efficient resource utilization and 
focus on key threat concerns as opposed to noise that cannot be translated into miti- 
gation. At our core, iSIGHT Partners has a world-class cyber threat intelligence ca- 
pability delivering research, analysis, and a “community defense” against emerging 
threats from around the globe. 

Threats to the cyber environment where our citizens, critical infrastructure, in- 
dustry, and governments operate have intensified dramatically in recent years. This 
should come as no surprise, as the efficiency, effectiveness, and anonymity of cyber 
attacks have expanded to encompass every traditional threat category. Criminals 
understand that stealing no longer requires putting themselves in danger by com- 
mitting traditional crimes using a weapon, such as bank robbery. In today’s high- 
tech world, criminals easily and efficiently steal millions of dollars simply by cre- 
ating aliases and obtaining a few keystrokes from their victims using tools readily 
available in underground forums. Nationalist actors recognize that they need not 
risk human assets to gain access to vital National interests when they can navigate 
the connected world of computers to establish a virtual presence and route informa- 
tion back home without a passport or visa and without leaving an evidentiary trail. 
The shift from the physical space to cyber space has already transpired, and the re- 
sulting risks to industries and governments are substantial and growing. Unfortu- 
nately, we continue to look internally for ways to combat cyber crime, when the so- 
lution requires that we look externally. 

Given the incredibly complex set of challenges we face in securely and efficiently 
managing our businesses and the Government while contending with these in- 
creased risks, we must embrace change as a constant and adapt accordingly. Absent 
an adaptive defense to an adaptive threat environment, we will fall further behind 
in our ability to prevent successful attacks targeting our interests. And small busi- 
nesses, as the innovation engine of our country, are able to focus on not only con- 
fronting but actually outstripping the adversary’s rapid pace. 

In the past, in what could now be called “Cybersecurity 1.0,” we resourced inter- 
nal environments with a layered approach of people, processes, and technologies. 
This approach began at the perimeter and layered back to the core, where critical 
operations and information reside. However, as technologies have become more ad- 
vanced and interconnected, these layers have shrunk, and the adversary’s ability to 
traverse our networks has grown tremendously. In some cases, this phenomenon re- 
lates to bad security practices, such as password reuse. In other ways, the com- 
plexity of our own environments increases likely ingress and attack points through 
which adversaries can gain access to our critical information. While our defenses are 
enhanced because we can correlate events from different devices in different layers, 
the reality is that our adversaries have watched our slow adaptation and responded 
accordingly with more sophisticated and coordinated attacks; they are adapting to 
our moves, but we are slow to comprehend and adapt to theirs. 

However, improvements to our cybersecurity posture should not go unnoticed. 
Now that we have resourced our environment and refined our overall security pos- 
ture, our future success in combating cyber threats resides in our ability to 
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tactically and operationally adapt our defense to new and emerging attack meth- 
odologies. We now have a security infrastructure that we can manage, but the ques- 
tion is whether we manage it with insight into our adversaries and their capabilities 
or continue to blindly attempt to secure critical intellectual property and informa- 
tion. In summary, “Cybersecurity 1.0” was vulnerability-based, and we 
benchmarked ourselves against regulations and what we thought were best prac- 
tices. However, absent adversary insight, we will continue to hunt in our own envi- 
ronment for vulnerabilities that, in many cases, have already been exploited and try 
to close those security gaps. We have taken this approach for more than a decade 
with very little success. To more effectively combat cybercrime, we must move away 
from the old model and begin to benchmark our countermeasure posture in light of 
current attacks executed within our borders and from abroad and adapt our de- 
fenses accordingly. 

Now we need to exceed the innovation pace of our adversaries. As our country’s 
global advantage has traditionally centered on the creativity spawned by small busi- 
nesses, it is imperative we feed this innovation engine and embrace industry ad- 
vances in this mission. Consequently, “Cybersecurity 2.0” must better manage our 
environment in light of the adversary’s capabilities and attack methods and defend 
against the “new normal” of increased threat pace and capabilities. Addressing how 
to effectively manage decentralized environments associated with National infra- 
structure, global businesses and globally distributed networks where our sensitive 
data, processes, and intellectual property reside is the challenge. We need to decen- 
tralize our awareness outward beyond our perimeter. Rather than focus on what we 
alone see, our goal should be to build a common shared understanding of the threats 
we face with a focus on knowledge rather than more data. Just as important, we 
need to learn from each other’s experiences. The key message is that one entity’s 
reactive can be the next entity’s proactive if these insights are rapidly shared. In 
others words, where we have common concerns and common threats with which to 
contend, we need common insights with shared solutions to combat those shared 
problems. Given the broad range of motivations behind adversaries using very simi- 
lar attack methods, sharing individual lessons learned to create a “community de- 
fense” will enable businesses and Government to more effectively combat cyber 
crime. 

The strategy of volunteer coordination or using a variety of Government entities 
for sharing is riddled with challenges. For example, one of the more critical chal- 
lenges facing the traditional intelligence mission lies in the classification structure 
that renders real-time information sharing across common stakeholders — most man- 
aging unclassified networks — unfeasible. These security restrictions essentially pre- 
vent cyber threat intelligence analysis from being shared. In other words, most of 
the intelligence sourcing from the Federal sector takes place in secure environ- 
ments, and the resulting analysis of attacks is inherently difficult to share. 

In addition, the current construct of information sharing is limited by the absence 
of a trusted intermediary that can convert shared information into actionable intel- 
ligence and rapidly deliver that intelligence to each community member. To convert 
this idea into action and enable entities to proactively support the entire commu- 
nity, each community member must help fund tactical, operational, and strategic in- 
telligence information gathering. 

We need a global window into and network of all research resources. Federal secu- 
rity activities tend to focus deeply on a relatively tight set of specific cyber threats. 
However, global commercial entities do not have that luxury because their people, 
information, and networks are globally distributed. Therefore, they must gain access 
to emerging threat data and victim data from around the world, rather than from 
one specific nation, sector, or entity. This requires community-building around the 
world, developing relationships and focusing on the transfer of knowledge rather 
than simply deploying machine sensors that witness technical indicators and events. 
Without the context associated with the indicators, it is impossible to attribute an 
attack to the appropriate threat category and source data that is associated with 
the analysis. Absent context, community members cannot effectively assess whether 
they are seeing something of critical importance or just another spam attack. 

In summary, we need an analytical pace that matches the rapidly developing pace 
of cyber threats. This is a resource- and time-intensive activity requiring complete 
integration of global insight, an analytical team and structure that processes infor- 
mation into structured analytical products and a delivery method that enables com- 
munity members to filter analysis based on the appropriate and specific customer 
and operation. An executive in one department of the Federal Government has a 
very different set of needs from a security operations center analyst in a fusion cen- 
ter, which is different from the fraud prevention team of an on-line bank with 
branches in Europe and South America. In short, intelligence analysis must address 
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tactical, operational, and strategic needs while supplying various views of the anal- 
ysis for each community member’s category and sector. 

Since June 1, 2010, iSIGHT Partners has been fortunate to provide these capabili- 
ties in support of the entire Federal, State, and local civilian government through 
a single enterprise contract with the Department of Homeland Security’s (DHS) 
United States Computer Emergency Readiness Team (US-CERT). Over the past 9 
months alone, iSIGHT Partners has delivered more than 18,000 intelligence reports 
and updates with more than 8,500 associated technical threat indicators. During the 
same 9-month period, we responded to nearly 500 analysis requests while holding 
nearly 200 meetings with those we support. Most recently, US-CERT has begun 
leveraging a large number of our indicators as part of its Joint Cybersecurity Serv- 
ices Pilot. These threat indicators connect to specific intelligence analyses which en- 
able each unique organization to tune their own security environment to detect and 
defend against specific cyber attacks that have been observed and analyzed. As 
threat indicators are triggered, defenders now have context about what attack was 
just defeated based on its connection to associated analysis. To that end, for exam- 
ple, Section 935 of the Ike Skelton National Defense Authorization Act for Fiscal 
Year 2011 established the requirement for progress reports from the Department of 
Defense requiring just this sort of shift toward contextual knowledge. And as many 
of our Government users have recognized, this is a game-changer for Government 
security operations. Enabling context and threat categorization in real time also en- 
ables defenders to prioritize resources and focus on serious cyber threats rather 
than taking the traditional approach of attempting to deal with all attacks equally. 

This contracting approach demonstrates the forward-leaning, innovative leader- 
ship within US-CERT and DHS. In today’s budget climate, and as recognized by 
the current administration’s Eederal Information Technology Shared Services Strat- 
egy paradigm of “Shared First,” common problems must be addressed with common 
solutions. 'The ability to contract and deliver this shared solution across the mission 
space is a case study illustrating that fact. Through this program, visibility into 
global cyber attacks against commercial and Government entities has improved tre- 
mendously. Together with US-CERT, iSIGHT Partners has driven a public-private 
partnership, an operational level of information sharing, a mechanism to detect and 
defeat emerging cyber attacks while learning from other community experiences and 
maintained the integrity of non-classified cyber threat intelligence shared uncon- 
strained among Federal, State, and local civilian government members. This ap- 
proach has provided insight into each member’s cyber defense experiences without 
disclosing an individual victim’s identity — this is what “community defense” is all 
about. 

Change in the cyber threat environment will be constant, and the cyber adver- 
saries our country faces are excellent at sharing information and learning from each 
other’s experiences. While we have made some progress in sharing information 
through coordination centers, in order to surpass the innovation pace of our adver- 
saries, entrepreneurial companies like iSIGHT Partners have demonstrated a clear 
capability to embrace this reality. In the end, if we do not shift to an adaptive de- 
fense based on continuously updated, actionable, and sharable threat intelligence, 
our National interests will remain at great risk. 

Thank you again for this opportunity to testify. Most importantly, I want to thank 
each of you for your contributions to the country and your leadership in working 
what is quickly emerging as one of the most important challenges facing the United 
States. 
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